From cbbd855ca7437894cb4ca9c9e9d45228eb3bbd123a7ba76b1a0f56365befe420 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 28 Oct 2025 12:01:27 +0100 Subject: [PATCH] V8.13.294.2025.10.28 Signed-off-by: Marc S. Weidner --- lib/lib_sanitizer.sh | 59 +++++++++++++++++---- lib/lib_source_guard.sh | 7 ++- lib/lib_usage.sh | 11 +++- lib/lib_version.sh | 7 +++ scripts/usr/lib/live/build/binary_rootfs.sh | 46 ++++++++-------- 5 files changed, 95 insertions(+), 35 deletions(-) diff --git a/lib/lib_sanitizer.sh b/lib/lib_sanitizer.sh index 7c12c5a..f2901ee 100644 --- a/lib/lib_sanitizer.sh +++ b/lib/lib_sanitizer.sh @@ -13,9 +13,11 @@ guard_sourcing ####################################### -# Argument Check Wrapper +# Arguments check wrapper. +# Globals: +# None # Arguments: -# $1: "$@" of ./ciss_live_builder.sh +# 1: "$@" of ./ciss_live_builder.sh ####################################### arg_check() { declare a @@ -25,35 +27,49 @@ arg_check() { done set -- "${sanitized_args[@]}" } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f arg_check ####################################### -# Function to sanitize a single argument +# Function to sanitize a single argument, # Globals: -# ERR_INVLD_CHAR # LOG_ERROR # Arguments: -# $1: Argument to check +# 1: Argument to check +# Returns: +# 0: on success +# ERR_INVLD_CHAR: on failure ####################################### sanitize_arg() { declare input="${1}" declare disallowed_ctrl="" + ### Step 1: Check for control characters if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then + + # shellcheck disable=SC2312 disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \ - | while read -r c; do printf "%02X " "'$c"; done) + | while read -r c; do printf "%02X " "'${c}"; done) + { printf "❌ Control character : '%s'. \n" "${disallowed_ctrl}" printf "❌ in argument : '%s'. \n" "${input}" printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n" printf "\n" } >> "${LOG_ERROR}" + boot_screen_cleaner + printf "\e[91m❌ Control character : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2 printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2 printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2 + # shellcheck disable=SC2162 read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_INVLD_CHAR}" + fi ### Step 2: Define allowed characters: @@ -61,6 +77,7 @@ sanitize_arg() { declare allowed='a-zA-Z0-9._/=\[\]:"\-+ ' declare disallowed disallowed=$(printf '%s' "${input}" | tr -d "${allowed}") + if [[ -n ${disallowed} ]]; then { printf "❌ Invalid character : '%s'. \n" "${disallowed//?/& }" @@ -68,22 +85,36 @@ sanitize_arg() { printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n" printf "\n" } >> "${LOG_ERROR}" + boot_screen_cleaner + printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2 printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2 printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2 + # shellcheck disable=SC2162 read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_INVLD_CHAR}" + else + printf '%s' "${input}" + fi + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f sanitize_arg ####################################### -# Function to remove any character not in the allowed set +# Function to remove any character not in the allowed set. +# Globals: +# None # Arguments: -# $1: String to Sanitize +# 1: String to Sanitize ####################################### sanitize_string() { declare input="$1" @@ -92,15 +123,23 @@ sanitize_string() { declare allowed='a-zA-Z0-9._/=\[\]:"\-+ ' printf '%s' "${input}" | tr -cd "${allowed}" } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f sanitize_string ####################################### -# Function to escape all shell metacharacters +# Function to escape all shell metacharacters. +# Globals: +# None # Arguments: -# $1: String to Sanitize +# 1: String to Sanitize ####################################### sanitize_shell_literal() { declare input="$1" ### %q quotes the string so that the shell re-reads it as the original literal printf '%q' "${input}" } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f sanitize_shell_literal # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_source_guard.sh b/lib/lib_source_guard.sh index 60a1635..522860f 100644 --- a/lib/lib_source_guard.sh +++ b/lib/lib_source_guard.sh @@ -11,7 +11,9 @@ # SPDX-Security-Contact: security@coresecret.eu ####################################### -# Prevent the file to be sourced twice. +# Prevents the file to be sourced twice. +# Globals: +# None # Arguments: # 1: File to source. ####################################### @@ -25,4 +27,7 @@ source_guard() { . "${var_file}" fi } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f source_guard # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 88bb050..85aeebb 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -12,8 +12,12 @@ ####################################### # Usage Wrapper CISS.debian.live.builder +# Globals: +# None # Arguments: -# 0: Script name +# None +# Returns: +# 0: on success ####################################### usage() { # shellcheck disable=SC2155 @@ -162,5 +166,10 @@ usage() { echo echo -e "\e[1;97m${var_footer}\e[0m" } | less -R + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f usage # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_version.sh b/lib/lib_version.sh index c50471c..7ad3c68 100644 --- a/lib/lib_version.sh +++ b/lib/lib_version.sh @@ -16,6 +16,8 @@ # VAR_VERSION # Arguments: # None +# Returns: +# 0: on success ####################################### version() { # shellcheck disable=SC2155 @@ -50,5 +52,10 @@ $(echo -e "\e[97m############################################################### Bash : ${var_bash_ver} EOF + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f version # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/scripts/usr/lib/live/build/binary_rootfs.sh b/scripts/usr/lib/live/build/binary_rootfs.sh index 81c8e7d..2371dbb 100644 --- a/scripts/usr/lib/live/build/binary_rootfs.sh +++ b/scripts/usr/lib/live/build/binary_rootfs.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git @@ -23,7 +23,7 @@ set -e # Including common functions -if [[ -e "${LIVE_BUILD}/scripts/build.sh" ]]; then +if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then . "${LIVE_BUILD}/scripts/build.sh" else . /usr/lib/live/build.sh @@ -74,7 +74,7 @@ esac # Creating directory mkdir -p "binary/${INITFS}" -if In_list "rootfs" "${LB_CACHE_STAGES}" && [[ -d cache/binary_rootfs ]] +if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ] then # Removing old chroot rm -rf binary/"${INITFS}"/filesystem.* @@ -100,7 +100,7 @@ case "${LB_CHROOT_FILESYSTEM}" in Install_packages # Remove old image - if [[ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]] + if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ] then rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" fi @@ -135,7 +135,7 @@ case "${LB_CHROOT_FILESYSTEM}" in FAKE_MTAB=true fi BLOCK_SIZE=1024 - if [[ "${LB_DM_VERITY}" = "true" ]] + if [ "${LB_DM_VERITY}" = "true" ] then # Module dm-verity needs a block size of at least 4k BLOCK_SIZE=4096 @@ -162,7 +162,7 @@ case "${LB_CHROOT_FILESYSTEM}" in # Removing depends Remove_packages - if [[ -e chroot/chroot.cache ]] + if [ -e chroot/chroot.cache ] then Remove_lockfile mv chroot/chroot chroot.tmp @@ -208,12 +208,12 @@ case "${LB_CHROOT_FILESYSTEM}" in Install_packages # Remove old jffs2 image - if [[ -f "binary/${INITFS}/filesystem.jffs2" ]] + if [ -f "binary/${INITFS}/filesystem.jffs2" ] then rm -f "binary/${INITFS}/filesystem.jffs2" fi - if [[ -n "${LB_JFFS2_ERASEBLOCK}" ]] + if [ -n "${LB_JFFS2_ERASEBLOCK}" ] then JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}" fi @@ -228,7 +228,7 @@ case "${LB_CHROOT_FILESYSTEM}" in # Removing depends Remove_packages - if [[ -e chroot/chroot.cache ]] + if [ -e chroot/chroot.cache ] then Remove_lockfile mv chroot/chroot chroot.tmp @@ -256,14 +256,14 @@ case "${LB_CHROOT_FILESYSTEM}" in ;; plain) - if [[ -d "binary/${INITFS}/filesystem.dir" ]] + if [ -d "binary/${INITFS}/filesystem.dir" ] then rm -rf "binary/${INITFS}/filesystem.dir" fi case "${LB_BUILD_WITH_CHROOT}" in true) - if [[ -e chroot/chroot.cache ]] + if [ -e chroot/chroot.cache ] then # Different from the other LB_CHROOT_FILESYSTEM values: # continue working in the bootstrap chroot, not the generated chroot. @@ -298,7 +298,7 @@ case "${LB_CHROOT_FILESYSTEM}" in Echo_message "This may take a while." # Remove old squashfs image - if [[ -f "binary/${INITFS}/filesystem.squashfs" ]] + if [ -f "binary/${INITFS}/filesystem.squashfs" ] then rm -f "binary/${INITFS}/filesystem.squashfs" fi @@ -309,17 +309,17 @@ case "${LB_CHROOT_FILESYSTEM}" in # Do not display the progress bar if: # - Run with --quiet, or # - stdin is not a terminal (e.g., in CI, cron, etc.) - if [[ "${_QUIET}" = "true" ]] || [[ ! -t 0 ]] + if [ "${_QUIET}" = "true" ] || [ ! -t 0 ] then MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}" fi - if [[ "${_VERBOSE}" = "true" ]] + if [ "${_VERBOSE}" = "true" ] then MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}" fi - if [[ -f config/rootfs/squashfs.sort ]] + if [ -f config/rootfs/squashfs.sort ] then MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}" @@ -335,28 +335,28 @@ case "${LB_CHROOT_FILESYSTEM}" in fi # Set squashfs compression type or default to xz - if [[ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]] + if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ] then MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}" else MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}" fi - if [[ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]] + if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ] then MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}" fi case "${LB_BUILD_WITH_CHROOT}" in true) - if [[ -e config/rootfs/excludes ]] + if [ -e config/rootfs/excludes ] then printf "\e[95m[INFO] Found: [config/rootfs/excludes] \n\e[0m" cp -a config/rootfs/excludes chroot/excludes - if [[ -e chroot/excludes ]] + if [ -e chroot/excludes ] then printf "\e[95m[INFO] Found: [chroot/excludes] \n\e[0m" @@ -384,7 +384,7 @@ case "${LB_CHROOT_FILESYSTEM}" in # Removing depends Remove_packages - if [[ -e chroot/chroot.cache ]] + if [ -e chroot/chroot.cache ] then Remove_lockfile mv chroot/chroot chroot.tmp @@ -403,7 +403,7 @@ case "${LB_CHROOT_FILESYSTEM}" in ;; false) - if [[ -e config/rootfs/excludes ]] + if [ -e config/rootfs/excludes ] then MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}" fi @@ -419,7 +419,7 @@ case "${LB_CHROOT_FILESYSTEM}" in ;; none) - if [[ -d binary ]] + if [ -d binary ] then rm -rf binary fi @@ -444,7 +444,7 @@ then mkdir -p cache/binary_rootfs - if [[ "${LB_CHROOT_FILESYSTEM}" != "none" ]] + if [ "${LB_CHROOT_FILESYSTEM}" != "none" ] then cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs fi