|
spdk-23.09-alt1.x86_64 |
unsafe-tmp-usage-in-scripts |
fail |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/libexec/spdk/scripts/spdx.sh: $ grep /tmp/ /usr/libexec/spdk/scripts/spdx.sh etc usr THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT etc usr (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE etc usr OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. etc/ usr/ END ) > /tmp/c.txt ( cat << 'END' # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # END ) > /tmp/makefile.txt function get_sha() { sha= start=$(cat -n $1 | grep "Redistribution and use" | awk '{print $1}') end=$(cat -n $1 | grep "POSSIBILITY OF SUCH DAMAGE" | head -1 | awk '{print $1}') -- fi count=$((end - start + 1)) sha=$(sed -n "${start},+${count}p" $1 | sha1sum | awk '{print $1}') } intel_c_sha=$(sed 's/__COMPANY__/Intel Corporation/g' /tmp/c.txt | sha1sum | awk '{print $1}') nvidia_c_sha=$(sed 's/__COMPANY__/Nvidia Corporation/g' /tmp/c.txt | sha1sum | awk '{print $1}') samsung_c_sha=$(sed 's/__COMPANY__/Samsung Electronics Co., Ltd./g' /tmp/c.txt | sha1sum | awk '{print $1}') eideticom_c_sha=$(sed 's/__COMPANY__/Eideticom Inc/g' /tmp/c.txt | sha1sum | awk '{print $1}') generic_c_sha=$(sed 's/__COMPANY__/the copyright holder/g' /tmp/c.txt | sha1sum | awk '{print $1}') for f in $(git ls-files '**/*.c' '**/*.cpp' '**/*.h' '**/*.cc' '**/*.go'); do get_sha $f if [[ $sha == "$intel_c_sha" ]] \ || [[ $sha == "$nvidia_c_sha" ]] \ -- sed -i '1 i /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /media /mnt /opt /proc /reboot /root /run /sbin /selinux /srv /sys /tmp /urn:fontconfig:fonts.dtd /usr /var SPDX-License-Identifier: BSD-3-Clause' $f fi done intel_makefile_sha=$(sed 's/__COMPANY__/Intel Corporation/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') nvidia_makefile_sha=$(sed 's/__COMPANY__/Nvidia Corporation/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') samsung_makefile_sha=$(sed 's/__COMPANY__/Samsung Electronics Co., Ltd./g' /tmp/makefile.txt | sha1sum | awk '{print $1}') eideticom_makefile_sha=$(sed 's/__COMPANY__/Eideticom Inc/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') generic_makefile_sha=$(sed 's/__COMPANY__/the copyright holder/g' /tmp/makefile.txt | sha1sum | awk '{print $1}') for f in $(git ls-files CONFIG MAKEFILE '**/*.mk' '**/Makefile'); do get_sha $f if [[ $sha == "$intel_makefile_sha" ]] \ || [[ $sha == "$nvidia_makefile_sha" ]] \ |