mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 12:10:49 +00:00
Validate ENV VAR
This commit is contained in:
Reinier Criel
parent
98dcda78da
commit
df8be031cb
4 changed files with 55 additions and 46 deletions
|
|
@ -8,19 +8,21 @@ param(
|
||||||
)
|
)
|
||||||
|
|
||||||
$Version = $env:SAFE_CHAIN_VERSION # Will be fetched from latest release if not set
|
$Version = $env:SAFE_CHAIN_VERSION # Will be fetched from latest release if not set
|
||||||
$SafeChainBase = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $env:USERPROFILE ".safe-chain" }
|
|
||||||
|
|
||||||
# Validate $SafeChainBase before any filesystem operations
|
# Validate SAFE_CHAIN_DIR before use
|
||||||
if (-not [System.IO.Path]::IsPathRooted($SafeChainBase)) {
|
if ($env:SAFE_CHAIN_DIR) {
|
||||||
Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $SafeChainBase" -ForegroundColor Red; exit 1
|
if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) {
|
||||||
|
Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)" -ForegroundColor Red; exit 1
|
||||||
}
|
}
|
||||||
if ($SafeChainBase -match '\.\.') {
|
if ($env:SAFE_CHAIN_DIR -match '\.\.') {
|
||||||
Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1
|
Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1
|
||||||
}
|
}
|
||||||
if ($SafeChainBase -match '^[A-Za-z]:[/\\]?$' -or $SafeChainBase -eq '/') {
|
if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') {
|
||||||
Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1
|
Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$SafeChainBase = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $env:USERPROFILE ".safe-chain" }
|
||||||
$InstallDir = Join-Path $SafeChainBase "bin"
|
$InstallDir = Join-Path $SafeChainBase "bin"
|
||||||
$RepoUrl = "https://github.com/AikidoSec/safe-chain"
|
$RepoUrl = "https://github.com/AikidoSec/safe-chain"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,20 +8,22 @@ set -e # Exit on error
|
||||||
|
|
||||||
# Configuration
|
# Configuration
|
||||||
VERSION="${SAFE_CHAIN_VERSION:-}" # Will be fetched from latest release if not set
|
VERSION="${SAFE_CHAIN_VERSION:-}" # Will be fetched from latest release if not set
|
||||||
SAFE_CHAIN_BASE="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}"
|
|
||||||
|
|
||||||
# Validate SAFE_CHAIN_BASE before any filesystem operations
|
# Validate SAFE_CHAIN_DIR before use
|
||||||
case "${SAFE_CHAIN_BASE}" in
|
if [ -n "${SAFE_CHAIN_DIR}" ]; then
|
||||||
|
case "${SAFE_CHAIN_DIR}" in
|
||||||
/*) ;;
|
/*) ;;
|
||||||
*) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_BASE}" >&2; exit 1 ;;
|
*) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_DIR}" >&2; exit 1 ;;
|
||||||
esac
|
esac
|
||||||
case "${SAFE_CHAIN_BASE}" in
|
case "${SAFE_CHAIN_DIR}" in
|
||||||
*../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;;
|
*../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;;
|
||||||
esac
|
esac
|
||||||
if [ "${SAFE_CHAIN_BASE}" = "/" ]; then
|
if [ "${SAFE_CHAIN_DIR}" = "/" ]; then
|
||||||
printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1
|
printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SAFE_CHAIN_BASE="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}"
|
||||||
INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
|
INSTALL_DIR="${SAFE_CHAIN_BASE}/bin"
|
||||||
REPO_URL="https://github.com/AikidoSec/safe-chain"
|
REPO_URL="https://github.com/AikidoSec/safe-chain"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,19 +4,21 @@
|
||||||
|
|
||||||
# Use HOME on Unix, USERPROFILE on Windows (PowerShell Core is cross-platform)
|
# Use HOME on Unix, USERPROFILE on Windows (PowerShell Core is cross-platform)
|
||||||
$HomeDir = if ($env:HOME) { $env:HOME } else { $env:USERPROFILE }
|
$HomeDir = if ($env:HOME) { $env:HOME } else { $env:USERPROFILE }
|
||||||
$DotSafeChain = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $HomeDir ".safe-chain" }
|
|
||||||
|
|
||||||
# Validate $DotSafeChain before any filesystem operations
|
# Validate SAFE_CHAIN_DIR before use
|
||||||
if (-not [System.IO.Path]::IsPathRooted($DotSafeChain)) {
|
if ($env:SAFE_CHAIN_DIR) {
|
||||||
Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $DotSafeChain" -ForegroundColor Red; exit 1
|
if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) {
|
||||||
|
Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)" -ForegroundColor Red; exit 1
|
||||||
}
|
}
|
||||||
if ($DotSafeChain -match '\.\.') {
|
if ($env:SAFE_CHAIN_DIR -match '\.\.') {
|
||||||
Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1
|
Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1
|
||||||
}
|
}
|
||||||
if ($DotSafeChain -match '^[A-Za-z]:[/\\]?$' -or $DotSafeChain -eq '/') {
|
if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') {
|
||||||
Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1
|
Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$DotSafeChain = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $HomeDir ".safe-chain" }
|
||||||
$InstallDir = Join-Path $DotSafeChain "bin"
|
$InstallDir = Join-Path $DotSafeChain "bin"
|
||||||
|
|
||||||
# Helper functions
|
# Helper functions
|
||||||
|
|
|
||||||
|
|
@ -7,19 +7,22 @@
|
||||||
set -e # Exit on error
|
set -e # Exit on error
|
||||||
|
|
||||||
# Configuration
|
# Configuration
|
||||||
DOT_SAFE_CHAIN="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}"
|
|
||||||
|
|
||||||
# Validate DOT_SAFE_CHAIN before any filesystem operations
|
# Validate SAFE_CHAIN_DIR before use
|
||||||
case "${DOT_SAFE_CHAIN}" in
|
if [ -n "${SAFE_CHAIN_DIR}" ]; then
|
||||||
|
case "${SAFE_CHAIN_DIR}" in
|
||||||
/*) ;;
|
/*) ;;
|
||||||
*) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${DOT_SAFE_CHAIN}" >&2; exit 1 ;;
|
*) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_DIR}" >&2; exit 1 ;;
|
||||||
esac
|
esac
|
||||||
case "${DOT_SAFE_CHAIN}" in
|
case "${SAFE_CHAIN_DIR}" in
|
||||||
*../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;;
|
*../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;;
|
||||||
esac
|
esac
|
||||||
if [ "${DOT_SAFE_CHAIN}" = "/" ]; then
|
if [ "${SAFE_CHAIN_DIR}" = "/" ]; then
|
||||||
printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1
|
printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
DOT_SAFE_CHAIN="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}"
|
||||||
|
|
||||||
# Colors for output
|
# Colors for output
|
||||||
RED='\033[0;31m'
|
RED='\033[0;31m'
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue