commit fdf9798024a2c7f6c6cfc4199434376d0bcc3f7f
author Bartek Grzybowski <b.grzybowski@partner.samsung.com> Mon Mar 18 16:09:51 2019 +0100
committer Bartek Grzybowski <b.grzybowski@partner.samsung.com> Mon Mar 18 16:09:51 2019 +0100
tree 067c12b4528f19684ef184e7a5df1e76428af328
parent c3bdc3210bbaf715805059bfef9b182051b3aa0c

Sanitize input arguments validation

This patch ensures non-positional parameters
are given past positional args. So far mixing
them led to malicious script behaviour.

Change-Id: Idf2b6a57d0cd8561e74e467f68ddc5d086e7a0c0
Issue-ID: OOM-1621
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>

build/package.sh

diff --git a/build/package.sh b/build/package.sh
index c527db2..a3c1ded 100755
--- a/build/package.sh
+++ b/build/package.sh
@@ -31,6 +31,12 @@
     exit "${exit_code}"
 }
 
+crash_arguments () {
+    echo "Missing some mandatory arguments!"
+    usage
+    exit 1
+}
+
 usage () {
     echo "Usage:"
     echo "   ./$(basename $0) <project_name> <version> <packaging_target_dir> [--conf <file>] [--force]"
@@ -200,16 +206,21 @@
 # adjusted accordingly.
 HELM_CHARTS_DIR_IN_PACKAGE="${APPLICATION_FILES_IN_PACKAGE}/helm_charts"
 
-if [ "$#" -lt 3 ]; then
-    echo "Missing some mandatory arguments!"
-    usage
-    exit 1
+if [ $# -eq 0 ]; then
+    crash_arguments
 fi
 
 CONF_FILE=""
 FORCE_REMOVE=0
+arg_ind=0
 for arg in "$@"; do
   shift
+  ((arg_ind+=1))
+  if [[ ${arg} =~ ^[-]{1,2}[a-zA-Z-]+$ && ${arg_ind} -lt 4 ]]; then
+      echo "Non-positional parameters should follow mandatory arguments!"
+      usage
+      exit 1
+  fi
   case "$arg" in
     -c|--conf)
         CONF_FILE="$1" ;;
@@ -217,6 +228,9 @@
         FORCE_REMOVE=1 ;;
     *)
         set -- "$@" "$arg"
+        if [ "$#" -lt 3 ]; then
+	    crash_arguments
+        fi ;;
   esac
 done