From 94f77e1330769b2181029091514118d6e965bb35 Mon Sep 17 00:00:00 2001 From: Reinier Criel Date: Fri, 10 Apr 2026 15:25:50 -0700 Subject: [PATCH] Address more code quality issues --- install-scripts/install-safe-chain.ps1 | 25 +++++++++++----------- install-scripts/install-safe-chain.sh | 27 ++++++++++++------------ install-scripts/uninstall-safe-chain.ps1 | 25 +++++++++++----------- install-scripts/uninstall-safe-chain.sh | 26 +++++++++++------------ 4 files changed, 49 insertions(+), 54 deletions(-) diff --git a/install-scripts/install-safe-chain.ps1 b/install-scripts/install-safe-chain.ps1 index fac897b..2635528 100644 --- a/install-scripts/install-safe-chain.ps1 +++ b/install-scripts/install-safe-chain.ps1 @@ -9,6 +9,18 @@ param( $Version = $env:SAFE_CHAIN_VERSION # Will be fetched from latest release if not set $SafeChainBase = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $env:USERPROFILE ".safe-chain" } + +# Validate $SafeChainBase before any filesystem operations +if (-not [System.IO.Path]::IsPathRooted($SafeChainBase)) { + Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $SafeChainBase" -ForegroundColor Red; exit 1 +} +if ($SafeChainBase -match '\.\.') { + Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1 +} +if ($SafeChainBase -match '^[A-Za-z]:[/\\]?$' -or $SafeChainBase -eq '/') { + Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1 +} + $InstallDir = Join-Path $SafeChainBase "bin" $RepoUrl = "https://github.com/AikidoSec/safe-chain" @@ -150,19 +162,6 @@ function Remove-VoltaInstallation { # Main installation function Install-SafeChain { - # Validate SAFE_CHAIN_DIR before using it to write files - if ($env:SAFE_CHAIN_DIR) { - if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) { - Write-Error-Custom "SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)" - } - if ($env:SAFE_CHAIN_DIR -match '\.\.') { - Write-Error-Custom "SAFE_CHAIN_DIR must not contain path traversal (..)" - } - if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') { - Write-Error-Custom "SAFE_CHAIN_DIR cannot be a root or drive-root directory" - } - } - # Show deprecation warning if SAFE_CHAIN_VERSION is set if (-not [string]::IsNullOrWhiteSpace($env:SAFE_CHAIN_VERSION)) { Write-Warn "SAFE_CHAIN_VERSION environment variable is deprecated." diff --git a/install-scripts/install-safe-chain.sh b/install-scripts/install-safe-chain.sh index 57b06d3..e371183 100755 --- a/install-scripts/install-safe-chain.sh +++ b/install-scripts/install-safe-chain.sh @@ -9,6 +9,19 @@ set -e # Exit on error # Configuration VERSION="${SAFE_CHAIN_VERSION:-}" # Will be fetched from latest release if not set SAFE_CHAIN_BASE="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" + +# Validate SAFE_CHAIN_BASE before any filesystem operations +case "${SAFE_CHAIN_BASE}" in + /*) ;; + *) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_BASE}" >&2; exit 1 ;; +esac +case "${SAFE_CHAIN_BASE}" in + *../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;; +esac +if [ "${SAFE_CHAIN_BASE}" = "/" ]; then + printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1 +fi + INSTALL_DIR="${SAFE_CHAIN_BASE}/bin" REPO_URL="https://github.com/AikidoSec/safe-chain" @@ -247,20 +260,6 @@ parse_arguments() { # Main installation main() { - # Validate SAFE_CHAIN_DIR before using it to write files - if [ -n "${SAFE_CHAIN_DIR}" ]; then - case "${SAFE_CHAIN_DIR}" in - /*) ;; # absolute path — OK - *) error "SAFE_CHAIN_DIR must be an absolute path, got: ${SAFE_CHAIN_DIR}" ;; - esac - case "${SAFE_CHAIN_DIR}" in - *../*|*/..*|..) error "SAFE_CHAIN_DIR must not contain path traversal (..)" ;; - esac - if [ "${SAFE_CHAIN_DIR}" = "/" ]; then - error "SAFE_CHAIN_DIR cannot be the root directory" - fi - fi - # Initialize argument flags USE_CI_SETUP=false diff --git a/install-scripts/uninstall-safe-chain.ps1 b/install-scripts/uninstall-safe-chain.ps1 index a4f1fc1..f342377 100644 --- a/install-scripts/uninstall-safe-chain.ps1 +++ b/install-scripts/uninstall-safe-chain.ps1 @@ -5,6 +5,18 @@ # Use HOME on Unix, USERPROFILE on Windows (PowerShell Core is cross-platform) $HomeDir = if ($env:HOME) { $env:HOME } else { $env:USERPROFILE } $DotSafeChain = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $HomeDir ".safe-chain" } + +# Validate $DotSafeChain before any filesystem operations +if (-not [System.IO.Path]::IsPathRooted($DotSafeChain)) { + Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $DotSafeChain" -ForegroundColor Red; exit 1 +} +if ($DotSafeChain -match '\.\.') { + Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1 +} +if ($DotSafeChain -match '^[A-Za-z]:[/\\]?$' -or $DotSafeChain -eq '/') { + Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1 +} + $InstallDir = Join-Path $DotSafeChain "bin" # Helper functions @@ -75,19 +87,6 @@ function Remove-VoltaInstallation { # Main uninstallation function Uninstall-SafeChain { - # Validate SAFE_CHAIN_DIR before using it to delete files - if ($env:SAFE_CHAIN_DIR) { - if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) { - Write-Error-Custom "SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)" - } - if ($env:SAFE_CHAIN_DIR -match '\.\.') { - Write-Error-Custom "SAFE_CHAIN_DIR must not contain path traversal (..)" - } - if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') { - Write-Error-Custom "SAFE_CHAIN_DIR cannot be a root or drive-root directory" - } - } - Write-Info "Uninstalling safe-chain..." # Run teardown if safe-chain is available diff --git a/install-scripts/uninstall-safe-chain.sh b/install-scripts/uninstall-safe-chain.sh index 5440730..1cd8f9b 100755 --- a/install-scripts/uninstall-safe-chain.sh +++ b/install-scripts/uninstall-safe-chain.sh @@ -9,6 +9,18 @@ set -e # Exit on error # Configuration DOT_SAFE_CHAIN="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" +# Validate DOT_SAFE_CHAIN before any filesystem operations +case "${DOT_SAFE_CHAIN}" in + /*) ;; + *) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${DOT_SAFE_CHAIN}" >&2; exit 1 ;; +esac +case "${DOT_SAFE_CHAIN}" in + *../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;; +esac +if [ "${DOT_SAFE_CHAIN}" = "/" ]; then + printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1 +fi + # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' @@ -139,20 +151,6 @@ remove_nvm_installation() { # Main uninstallation main() { - # Validate SAFE_CHAIN_DIR before using it to delete files - if [ -n "${SAFE_CHAIN_DIR}" ]; then - case "${SAFE_CHAIN_DIR}" in - /*) ;; # absolute path — OK - *) error "SAFE_CHAIN_DIR must be an absolute path, got: ${SAFE_CHAIN_DIR}" ;; - esac - case "${SAFE_CHAIN_DIR}" in - *../*|*/..*|..) error "SAFE_CHAIN_DIR must not contain path traversal (..)" ;; - esac - if [ "${SAFE_CHAIN_DIR}" = "/" ]; then - error "SAFE_CHAIN_DIR cannot be the root directory" - fi - fi - SAFE_CHAIN_LOCATION="$DOT_SAFE_CHAIN/bin/safe-chain" if [ -x "$SAFE_CHAIN_LOCATION" ]; then