diff options
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/eprintf.nix | 9 | ||||
| -rw-r--r-- | tools/rust-crates-advisory/OWNERS | 3 | ||||
| -rw-r--r-- | tools/rust-crates-advisory/check-security-advisory.rs | 67 | ||||
| -rw-r--r-- | tools/rust-crates-advisory/default.nix | 97 |
4 files changed, 176 insertions, 0 deletions
diff --git a/tools/eprintf.nix b/tools/eprintf.nix new file mode 100644 index 000000000000..eeacca4c8c72 --- /dev/null +++ b/tools/eprintf.nix @@ -0,0 +1,9 @@ +{ depot, pkgs, ... }: + +let + bins = depot.nix.getBins pkgs.coreutils [ "printf" ]; + +# printf(1), but redirect to stderr +in depot.nix.writeExecline "eprintf" {} [ + "fdmove" "-c" "1" "2" bins.printf "$@" +] diff --git a/tools/rust-crates-advisory/OWNERS b/tools/rust-crates-advisory/OWNERS new file mode 100644 index 000000000000..a742d0d22bf6 --- /dev/null +++ b/tools/rust-crates-advisory/OWNERS @@ -0,0 +1,3 @@ +inherited: true +owners: + - Profpatsch diff --git a/tools/rust-crates-advisory/check-security-advisory.rs b/tools/rust-crates-advisory/check-security-advisory.rs new file mode 100644 index 000000000000..3fd9bc2dd947 --- /dev/null +++ b/tools/rust-crates-advisory/check-security-advisory.rs @@ -0,0 +1,67 @@ +extern crate semver; +extern crate toml; + +use std::io::Write; + +/// reads a security advisory of the form +/// https://github.com/RustSec/advisory-db/blob/a24932e220dfa9be8b0b501210fef8a0bc7ef43e/EXAMPLE_ADVISORY.md +/// and a crate version number, +/// and returns 0 if the crate version is patched +/// and returns 1 if the crate version is *not* patched +/// +/// If PRINT_ADVISORY is set, the advisory is printed if it matches. + +fn main() { + let mut args = std::env::args_os(); + let file = args.nth(1).expect("security advisory md file is $1"); + let crate_version = + args.nth(0).expect("crate version is $2") + .into_string().expect("crate version string not utf8") + ; + let crate_version = semver::Version::parse(&crate_version).expect(&format!("this is not a semver version: {}", &crate_version)); + let filename = file.to_string_lossy(); + + let content = std::fs::read(&file).expect(&format!("could not read {}", filename)); + let content = + std::str::from_utf8(&content).expect(&format!("file {} was not encoded as utf-8", filename)); + let content = content.trim_start(); + + let toml_start = content + .strip_prefix("```toml").expect(&format!("file did not start with ```toml: {}", filename)); + let toml_end_index = toml_start.find("```").expect(&format!("the toml section did not end, no `` found: {}", filename)); + let toml = &toml_start[..toml_end_index]; + let toml : toml::Value = toml::de::from_slice(toml.as_bytes()).expect(&format!("could not parse toml: {}", filename)); + + let versions = toml + .as_table().expect(&format!("the toml is not a table: {}", filename)) + .get("versions").expect(&format!("the toml does not contain the versions field: {}", filename)) + .as_table().expect(&format!("the toml versions field must be a table: {}", filename)); + + let unaffected = match versions.get("unaffected") { + Some(u) => u + .as_array().expect(&format!("the toml versions.unaffected field must be a list of semvers: {}", filename)) + .iter() + .map(|v| semver::VersionReq::parse(v.as_str().expect(&format!("the version field {} is not a string", v))).expect(&format!("the version field {} is not a valid semver VersionReq", v))) + .collect(), + None => vec![] + }; + + let mut patched : Vec<semver::VersionReq> = versions.get("patched").expect(&format!("the toml versions.patched field must exist: {}", filename)) + .as_array().expect(&format!("the toml versions.patched field must be a list of semvers: {}", filename)) + .iter() + .map(|v| semver::VersionReq::parse(v.as_str().expect(&format!("the version field {} is not a string", v))).expect(&format!("the version field {} is not a valid semver VersionReq", v))) + .collect(); + + patched.extend_from_slice(&unaffected[..]); + let is_patched_or_unaffected = patched.iter().any(|req| req.matches(&crate_version)); + + if is_patched_or_unaffected { + std::process::exit(0); + } else { + if std::env::var_os("PRINT_ADVISORY").is_some() { + write!(std::io::stderr(), "Advisory {} matched!\n{}\n", filename, content).unwrap(); + } + std::process::exit(1); + } + +} diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix new file mode 100644 index 000000000000..d9b87839044b --- /dev/null +++ b/tools/rust-crates-advisory/default.nix @@ -0,0 +1,97 @@ +{ depot, pkgs, lib, ... }: + +let + + bins = + depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ] + // depot.nix.getBins pkgs.lr [ "lr" ] + ; + + crate-advisories = "${pkgs.fetchFromGitHub { + owner = "RustSec"; + repo = "advisory-db"; + # TODO(Profpatsch): this will have to be updated regularly, how? + rev = "113188c62380753f01ff0df5edb7d67a300b143a"; + sha256 = "0v086ybwr71zgs5nv8yr4w2w2d4daxx6in2s1sjb4m41q1r9p0wj"; + }}/crates"; + + our-crates = lib.mapAttrsToList (_: lib.id) + # this is a bit eh, but no idea how to avoid the readTree thing otherwise + (builtins.removeAttrs depot.third_party.rust-crates [ "__readTree" ]); + + check-security-advisory = depot.nix.writers.rustSimple { + name = "parse-security-advisory"; + dependencies = [ + depot.third_party.rust-crates.toml + depot.third_party.rust-crates.semver + ]; + } (builtins.readFile ./check-security-advisory.rs); + + # $1 is the directory with advisories for crate $2 with version $3 + check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [ + "pipeline" [ bins.lr "-0" "-t" "depth == 1" "$1" ] + "forstdin" "-0" "-Eo" "0" "advisory" + "if" [ depot.tools.eprintf "advisory %s\n" "$advisory" ] + check-security-advisory "$advisory" "$3" + ]; + + # Run through everything in the `crate-advisories` repository + # and check whether we can parse all the advisories without crashing. + test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" {} [ + "pipeline" [ bins.lr "-0" "-t" "depth == 1" crate-advisories ] + "if" [ + # this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101) + "forstdin" "-0" "-E" "-x" "101" "crate_advisories" + check-crate-advisory "$crate_advisories" "foo" "0.0.0" + ] + "importas" "out" "out" + bins.s6-touch "$out" + ]; + + + check-all-our-crates = depot.nix.runExecline "check-all-our-crates" { + stdin = lib.concatStrings + (map + (crate: + depot.nix.netstring.fromString + ( depot.nix.netstring.fromString crate.crateName + + depot.nix.netstring.fromString crate.version )) + our-crates); + } [ + "if" [ + "forstdin" "-o" "0" "-Ed" "" "crateNetstring" + "multidefine" "-d" "" "$crateNetstring" [ "crate" "crate_version" ] + "if" [ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ] + + "ifthenelse" [ bins.s6-test "-d" "${crate-advisories}/\${crate}" ] + [ # also print the full advisory text if it matches + "export" "PRINT_ADVISORY" "1" + check-crate-advisory "${crate-advisories}/\${crate}" "$crate" "$crate_version" + ] + [ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ] + "importas" "-ui" "ret" "?" + # put a marker in ./failed to read at the end + "ifelse" [ bins.s6-test "$ret" "-eq" "1" ] + [ bins.s6-touch "./failed" ] + "if" [ depot.tools.eprintf "\n" ] + "exit" "$ret" + ] + "ifelse" [ bins.s6-test "-f" "./failed" ] + [ "if" [ depot.tools.eprintf "Error: Found active advisories!" ] + "exit" "1" + ] + "importas" "out" "out" + bins.s6-touch "$out" + ]; + +in depot.nix.utils.drvTargets { + + check-all-our-crates = + depot.nix.drvSeqL + [ test-parsing-all-security-advisories ] + check-all-our-crates; + + inherit + check-crate-advisory + ; +} |