Commit 9651a0df authored by José Henrique's avatar José Henrique
Browse files

Implement releasetools validator

parent 1a746c4a
......@@ -18,6 +18,17 @@ def sync_tools(post_build_env_vars):
def create_release_zip(post_build_env_vars):
release_tools_path = "META/releasetools.py"
has_releasetools = exists_on_target_files(
post_build_env_vars["unsigned_target_files_path"],
release_tools_path)
if has_releasetools:
print("Validating releasetools.py...")
extract_from_target_files(
post_build_env_vars["unsigned_target_files_path"],
release_tools_path)
validate_release_tools(release_tools_path)
target_files_path = (
post_build_env_vars["target_files_path"]
if post_build_env_vars["production"] else
......
......@@ -6,6 +6,7 @@ import traceback
import hashlib
import ftplib
import requests
import re
from zipfile import ZipFile
......@@ -149,3 +150,25 @@ def download_artifact(device, build, destination_path):
sys.exit(
"Failed to download artifact, process returned code " +
str(result))
def validate_release_tools(release_tools_path):
allowed_imports = ["hashlib", "common", "re"]
prohibited_keywords = ["eval", "exec", "__import__", "open"]
with open(release_tools_path) as f:
text = f.read()
matches = re.finditer(
r'^\s*(?:from|import)\s+(\w+(?:\s*,\s*\w+)*)',
text, re.MULTILINE)
for matchNum, match in enumerate(matches, start=1):
for groupNum in range(0, len(match.groups())):
groupNum += 1
import_name = match.group(groupNum)
if import_name not in allowed_imports:
sys.exit("releasetools: Import not allowed: " +
import_name)
text = text.replace(" ", "")
for keyword in prohibited_keywords:
if keyword in text:
sys.exit("releasetools: Call not allowed: " + keyword)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment