Sanitize input arguments validation
This patch ensures non-positional parameters
are given past positional args. So far mixing
them led to malicious script behaviour.
Change-Id: Idf2b6a57d0cd8561e74e467f68ddc5d086e7a0c0
Issue-ID: OOM-1621
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
diff --git a/build/package.sh b/build/package.sh
index c527db2..a3c1ded 100755
--- a/build/package.sh
+++ b/build/package.sh
@@ -31,6 +31,12 @@
exit "${exit_code}"
}
+crash_arguments () {
+ echo "Missing some mandatory arguments!"
+ usage
+ exit 1
+}
+
usage () {
echo "Usage:"
echo " ./$(basename $0) <project_name> <version> <packaging_target_dir> [--conf <file>] [--force]"
@@ -200,16 +206,21 @@
# adjusted accordingly.
HELM_CHARTS_DIR_IN_PACKAGE="${APPLICATION_FILES_IN_PACKAGE}/helm_charts"
-if [ "$#" -lt 3 ]; then
- echo "Missing some mandatory arguments!"
- usage
- exit 1
+if [ $# -eq 0 ]; then
+ crash_arguments
fi
CONF_FILE=""
FORCE_REMOVE=0
+arg_ind=0
for arg in "$@"; do
shift
+ ((arg_ind+=1))
+ if [[ ${arg} =~ ^[-]{1,2}[a-zA-Z-]+$ && ${arg_ind} -lt 4 ]]; then
+ echo "Non-positional parameters should follow mandatory arguments!"
+ usage
+ exit 1
+ fi
case "$arg" in
-c|--conf)
CONF_FILE="$1" ;;
@@ -217,6 +228,9 @@
FORCE_REMOVE=1 ;;
*)
set -- "$@" "$arg"
+ if [ "$#" -lt 3 ]; then
+ crash_arguments
+ fi ;;
esac
done