From 7354ce838520855a8ede9b3fc2c6a29f490aa155 Mon Sep 17 00:00:00 2001 From: Thom May Date: Tue, 5 Jul 2016 15:22:32 +0100 Subject: Use Mixlib::Archive to extract tarballs this allows us to be truely cross platform, and also to ignore unsafe paths and permissions. Signed-off-by: Thom May --- Gemfile.lock | 60 ++++++++++++++------------- chef.gemspec | 3 +- lib/chef/application/client.rb | 4 +- lib/chef/application/solo.rb | 4 +- lib/chef/knife/cookbook_site_install.rb | 13 +----- spec/unit/application/solo_spec.rb | 12 +++--- spec/unit/knife/cookbook_site_install_spec.rb | 2 + 7 files changed, 48 insertions(+), 50 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b880bb57ee..af85e403a9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,7 +8,7 @@ GIT GIT remote: https://github.com/rubysec/bundler-audit.git - revision: b16b26e0a4eed474f5f1ee38c22030a2f617ffc8 + revision: b7123d7b294f244165d9469f22b37a559e235fc2 specs: bundler-audit (0.5.0) bundler (~> 1.2) @@ -26,6 +26,7 @@ PATH ffi-yajl (~> 2.2) highline (~> 1.6, >= 1.6.9) iniparse (~> 1.4) + mixlib-archive (>= 0.2.0) mixlib-authentication (~> 1.4) mixlib-cli (~> 1.4) mixlib-log (~> 1.3) @@ -36,9 +37,9 @@ PATH ohai (>= 8.6.0.alpha.1, < 9) plist (~> 3.2) proxifier (~> 1.0) - rspec-core (~> 3.4) - rspec-expectations (~> 3.4) - rspec-mocks (~> 3.4) + rspec-core (~> 3.4.0) + rspec-expectations (~> 3.4.0) + rspec-mocks (~> 3.4.0) rspec_junit_formatter (~> 0.2.0) serverspec (~> 2.7) specinfra (~> 2.10) @@ -54,6 +55,7 @@ PATH ffi-yajl (~> 2.2) highline (~> 1.6, >= 1.6.9) iniparse (~> 1.4) + mixlib-archive (>= 0.2.0) mixlib-authentication (~> 1.4) mixlib-cli (~> 1.4) mixlib-log (~> 1.3) @@ -64,9 +66,9 @@ PATH ohai (>= 8.6.0.alpha.1, < 9) plist (~> 3.2) proxifier (~> 1.0) - rspec-core (~> 3.4) - rspec-expectations (~> 3.4) - rspec-mocks (~> 3.4) + rspec-core (~> 3.4.0) + rspec-expectations (~> 3.4.0) + rspec-mocks (~> 3.4.0) rspec_junit_formatter (~> 0.2.0) serverspec (~> 2.7) specinfra (~> 2.10) @@ -99,12 +101,12 @@ GEM mixlib-cli (~> 1.4) artifactory (2.3.3) ast (2.3.0) - aws-sdk (2.3.19) - aws-sdk-resources (= 2.3.19) - aws-sdk-core (2.3.19) + aws-sdk (2.3.20) + aws-sdk-resources (= 2.3.20) + aws-sdk-core (2.3.20) jmespath (~> 1.0) - aws-sdk-resources (2.3.19) - aws-sdk-core (= 2.3.19) + aws-sdk-resources (2.3.20) + aws-sdk-core (= 2.3.20) aws-sdk-v1 (1.66.0) json (~> 1.4) nokogiri (>= 1.4.4) @@ -159,13 +161,13 @@ GEM multipart-post (>= 1.2, < 3) fauxhai (3.6.0) net-ssh - ffi (1.9.10) - ffi (1.9.10-x86-mingw32) + ffi (1.9.13) + ffi (1.9.13-x86-mingw32) ffi-win32-extensions (1.0.2) ffi ffi-yajl (2.2.3) libyajl2 (~> 1.2) - foodcritic (6.3.0) + foodcritic (7.0.1) cucumber-core (>= 1.3) erubis nokogiri (>= 1.5, < 2.0) @@ -175,13 +177,13 @@ GEM yajl-ruby (~> 1.1) fuzzyurl (0.8.0) gherkin (4.0.0) - github_api (0.14.2) + github_api (0.14.3) addressable (~> 2.4.0) descendants_tracker (~> 0.0.4) faraday (~> 0.8, < 0.10) hashie (>= 3.4) - oauth2 - github_changelog_generator (1.12.1) + oauth2 (~> 1.0.0) + github_changelog_generator (1.13.0) colorize (~> 0.7) github_api (~> 0.12) rake (>= 10.0) @@ -203,8 +205,8 @@ GEM jmespath (1.2.4) json_pure (>= 1.8.1) json (1.8.3) - json_pure (1.8.3) - jwt (1.5.1) + json_pure (2.0.1) + jwt (1.5.4) knife-windows (1.4.1) winrm (~> 1.7) libyajl2 (1.2.0) @@ -218,9 +220,11 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) mini_portile2 (2.1.0) + mixlib-archive (0.2.0) + mixlib-log mixlib-authentication (1.4.1) mixlib-log - mixlib-cli (1.6.0) + mixlib-cli (1.7.0) mixlib-config (2.2.1) mixlib-install (1.1.0) artifactory @@ -254,12 +258,12 @@ GEM mini_portile2 (~> 2.1.0) pkg-config (~> 1.1.7) nori (2.6.0) - oauth2 (1.1.0) + oauth2 (1.0.0) faraday (>= 0.8, < 0.10) - jwt (~> 1.0, < 1.5.2) + jwt (~> 1.0) multi_json (~> 1.3) multi_xml (~> 0.5) - rack (>= 1.2, < 3) + rack (~> 1.2) octokit (4.3.0) sawyer (~> 0.7.0, >= 0.5.3) ohai (8.17.1) @@ -340,13 +344,13 @@ GEM rspec-its specinfra (~> 2.53) sfl (2.2) - simplecov (0.11.2) + simplecov (0.12.0) docile (~> 1.1.0) - json (~> 1.8) + json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - specinfra (2.59.4) + specinfra (2.59.5) net-scp net-ssh (>= 2.7, < 4.0) net-telnet @@ -394,7 +398,7 @@ GEM rubyntlm (~> 0.6.0) wmi-lite (1.0.0) yajl-ruby (1.2.1) - yard (0.8.7.6) + yard (0.9.0) PLATFORMS ruby diff --git a/chef.gemspec b/chef.gemspec index b88c899d5c..b65332bb91 100644 --- a/chef.gemspec +++ b/chef.gemspec @@ -21,6 +21,7 @@ Gem::Specification.new do |s| s.add_dependency "mixlib-log", "~> 1.3" s.add_dependency "mixlib-authentication", "~> 1.4" s.add_dependency "mixlib-shellout", "~> 2.0" + s.add_dependency "mixlib-archive", ">= 0.2.0" s.add_dependency "ohai", ">= 8.6.0.alpha.1", "< 9" s.add_dependency "ffi-yajl", "~> 2.2" @@ -37,7 +38,7 @@ Gem::Specification.new do |s| s.add_dependency "iniparse", "~> 1.4" # Audit mode requires these, so they are non-developmental dependencies now - %w{rspec-core rspec-expectations rspec-mocks}.each { |gem| s.add_dependency gem, "~> 3.4" } + %w{rspec-core rspec-expectations rspec-mocks}.each { |gem| s.add_dependency gem, "~> 3.4.0" } s.add_dependency "rspec_junit_formatter", "~> 0.2.0" s.add_dependency "serverspec", "~> 2.7" s.add_dependency "specinfra", "~> 2.10" diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb index 77c86ad559..2a2f70c3a1 100644 --- a/lib/chef/application/client.rb +++ b/lib/chef/application/client.rb @@ -27,6 +27,7 @@ require "chef/handler/error_report" require "chef/workstation_config_loader" require "chef/mixin/shell_out" require "chef-config/mixin/dot_d" +require "mixlib/archive" class Chef::Application::Client < Chef::Application include Chef::Mixin::ShellOut @@ -334,8 +335,7 @@ class Chef::Application::Client < Chef::Application FileUtils.mkdir_p(Chef::Config.chef_repo_path) tarball_path = File.join(Chef::Config.chef_repo_path, "recipes.tgz") fetch_recipe_tarball(Chef::Config[:recipe_url], tarball_path) - result = shell_out!("tar zxvf #{tarball_path} -C #{Chef::Config.chef_repo_path}") - Chef::Log.debug "#{result.stdout}" + Mixlib::Archive.new(tarball_path).extract(Chef::Config.chef_repo_path, perms: false, ignore: /^\.$/) end end diff --git a/lib/chef/application/solo.rb b/lib/chef/application/solo.rb index d2516926c4..a7c4038f4c 100644 --- a/lib/chef/application/solo.rb +++ b/lib/chef/application/solo.rb @@ -29,6 +29,7 @@ require "fileutils" require "chef/mixin/shell_out" require "pathname" require "chef-config/mixin/dot_d" +require "mixlib/archive" class Chef::Application::Solo < Chef::Application include Chef::Mixin::ShellOut @@ -273,8 +274,7 @@ class Chef::Application::Solo < Chef::Application FileUtils.mkdir_p(recipes_path) tarball_path = File.join(recipes_path, "recipes.tgz") fetch_recipe_tarball(Chef::Config[:recipe_url], tarball_path) - result = shell_out!("tar zxvf #{tarball_path} -C #{recipes_path}") - Chef::Log.debug "#{result.stdout}" + Mixlib::Archive.new(tarball_path).extract(Chef::Config.chef_repo_path, perms: false, ignore: /^\.$/) end # json_attribs shuld be fetched after recipe_url tarball is unpacked. diff --git a/lib/chef/knife/cookbook_site_install.rb b/lib/chef/knife/cookbook_site_install.rb index 9a1ac93821..43d015dcc4 100644 --- a/lib/chef/knife/cookbook_site_install.rb +++ b/lib/chef/knife/cookbook_site_install.rb @@ -19,6 +19,7 @@ require "chef/knife" require "chef/exceptions" require "shellwords" +require "mixlib/archive" class Chef class Knife @@ -149,17 +150,7 @@ class Chef def extract_cookbook(upstream_file, version) ui.info("Uncompressing #{@cookbook_name} version #{version}.") - extract_command = "tar zxvf \"#{convert_path upstream_file}\"" - if Chef::Platform.windows? - tar_version = shell_out("tar --version").stdout.tr("\n", " ") - if tar_version =~ /GNU tar/ - Chef::Log.debug("GNU tar detected, adding --force-local") - extract_command << " --force-local" - else - Chef::Log.debug("non-GNU tar detected, not adding --force-local") - end - end - shell_out!(extract_command, :cwd => @install_path) + Mixlib::Archive.new(convert_path(upstream_file)).extract(@install_path, perms: false) end def clear_existing_files(cookbook_path) diff --git a/spec/unit/application/solo_spec.rb b/spec/unit/application/solo_spec.rb index b1931414cc..686ae745d8 100644 --- a/spec/unit/application/solo_spec.rb +++ b/spec/unit/application/solo_spec.rb @@ -120,9 +120,10 @@ Enable chef-client interval runs by setting `:client_fork = true` in your config expect(app).to receive(:open).with("http://junglist.gen.nz/recipes.tgz").and_yield(tarfile) expect(File).to receive(:open).with("#{Dir.tmpdir}/chef-solo/recipes.tgz", "wb").and_yield(target_file) - shellout = instance_double("Mixlib::ShellOut", run_command: nil, error!: nil, stdout: "") + archive = double(Mixlib::Archive) - expect(app).to receive(:shell_out!).with("tar zxvf #{Dir.tmpdir}/chef-solo/recipes.tgz -C #{Dir.tmpdir}/chef-solo").and_return(shellout) + expect(Mixlib::Archive).to receive(:new).with("#{Dir.tmpdir}/chef-solo/recipes.tgz").and_return(archive) + expect(archive).to receive(:extract).with("#{Dir.tmpdir}/chef-solo", { perms: false, ignore: /^\.$/ }) app.reconfigure expect(target_file.string).to eq("remote_tarball_content") end @@ -136,11 +137,10 @@ Enable chef-client interval runs by setting `:client_fork = true` in your config Chef::Config[:cookbook_path] = "#{Dir.tmpdir}/chef-solo/cookbooks" expect(FileUtils).to receive(:mkdir_p).with("#{Dir.tmpdir}/chef-solo").and_return(true) - allow(Chef::Mixin::Command).to receive(:run_command).and_return(true) + archive = double(Mixlib::Archive) - shellout = instance_double("Mixlib::ShellOut", run_command: nil, error!: nil, stdout: "") - - expect(app).to receive(:shell_out!).with("tar zxvf #{Dir.tmpdir}/chef-solo/recipes.tgz -C #{Dir.tmpdir}/chef-solo").and_return(shellout) + expect(Mixlib::Archive).to receive(:new).with("#{Dir.tmpdir}/chef-solo/recipes.tgz").and_return(archive) + expect(archive).to receive(:extract).with("#{Dir.tmpdir}/chef-solo", { perms: false, ignore: /^\.$/ }) expect(app).to receive(:fetch_recipe_tarball).ordered expect(Chef::ConfigFetcher).to receive(:new).ordered.and_return(config_fetcher) app.reconfigure diff --git a/spec/unit/knife/cookbook_site_install_spec.rb b/spec/unit/knife/cookbook_site_install_spec.rb index d60443d779..1549245ea3 100644 --- a/spec/unit/knife/cookbook_site_install_spec.rb +++ b/spec/unit/knife/cookbook_site_install_spec.rb @@ -23,6 +23,7 @@ describe Chef::Knife::CookbookSiteInstall do let(:stdout) { StringIO.new } let(:stderr) { StringIO.new } let(:downloader) { Hash.new } + let(:archive) { double(Mixlib::Archive, extract: true) } let(:repo) { double(:sanity_check => true, :reset_to_default_state => true, :prepare_to_import => true, :finalize_updates_to => true, :merge_updates_from => true) } @@ -48,6 +49,7 @@ describe Chef::Knife::CookbookSiteInstall do allow(File).to receive(:unlink) allow(File).to receive(:rmtree) allow(knife).to receive(:shell_out!).and_return(true) + allow(Mixlib::Archive).to receive(:new).and_return(archive) # CookbookSiteDownload Stup allow(knife).to receive(:download_cookbook_to).and_return(downloader) -- cgit v1.2.1