You are viewing a plain text version of this content. The canonical link for it is here.
Posted to gitbox@yetus.apache.org by aw...@apache.org on 2022/04/21 16:59:28 UTC
[yetus] branch main updated: YETUS-1159. fixes for CVE-2022-24765 (#254)
This is an automated email from the ASF dual-hosted git repository.
aw pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/yetus.git
The following commit(s) were added to refs/heads/main by this push:
new af54b663 YETUS-1159. fixes for CVE-2022-24765 (#254)
af54b663 is described below
commit af54b6635ab27057a16107dd71b930c8d4563ac9
Author: Allen Wittenauer <aw...@apache.org>
AuthorDate: Thu Apr 21 09:59:22 2022 -0700
YETUS-1159. fixes for CVE-2022-24765 (#254)
---
.cirrus.yml | 2 +-
.github/workflows/action-test.yml | 6 +-
.github/workflows/ghcr.yml | 2 +-
.github/workflows/linkcheck.yml | 4 +-
.github/workflows/yetus.yml | 6 +-
.gitlab-ci.yml | 2 +-
.travis.yml | 2 +-
.../precommit/robots/githubactions.html.md | 4 +-
precommit/src/main/shell/core.d/00-yetuslib.sh | 81 ++++++++++++++++++++++
precommit/src/main/shell/core.d/01-common.sh | 22 ++++++
precommit/src/main/shell/robots.d/cirrusci.sh | 3 +
precommit/src/main/shell/robots.d/travisci.sh | 3 +
precommit/src/main/shell/smart-apply-patch.sh | 2 +
precommit/src/main/shell/test-patch.sh | 12 ++--
release/initial-patches.sh | 2 +-
15 files changed, 134 insertions(+), 19 deletions(-)
diff --git a/.cirrus.yml b/.cirrus.yml
index 517de749..192a0cc6 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -17,7 +17,7 @@
yetus_task:
container:
- image: apache/yetus:main
+ image: ghcr.io/apache/yetus:main
test_script: >
${CIRRUS_WORKING_DIR}/precommit/src/main/shell/test-patch.sh
--basedir="${CIRRUS_WORKING_DIR}"
diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml
index 3cdd4dd4..105db825 100644
--- a/.github/workflows/action-test.yml
+++ b/.github/workflows/action-test.yml
@@ -25,12 +25,12 @@ jobs:
steps:
- name: checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
path: src
fetch-depth: 0
- name: maven cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: ~/.m2
key: yetus-m2-${{ hashFiles('**/pom.xml') }}
@@ -45,7 +45,7 @@ jobs:
testsfilter: checkstyle,test4tests
- name: Artifact output
if: ${{ always() }}
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: apacheyetustestpatchactionout
path: ${{ github.workspace }}/out
diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index 2b149463..5811dc6e 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -28,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
path: src
fetch-depth: 0
diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml
index 0e3d7fbc..c2bccd4d 100644
--- a/.github/workflows/linkcheck.yml
+++ b/.github/workflows/linkcheck.yml
@@ -28,9 +28,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
- name: maven cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: ~/.m2
key: yetus-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/yetus.yml b/.github/workflows/yetus.yml
index 32cb9627..bf19ad7c 100644
--- a/.github/workflows/yetus.yml
+++ b/.github/workflows/yetus.yml
@@ -29,12 +29,12 @@ jobs:
steps:
- name: checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
path: src
fetch-depth: 0
- name: maven cache
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: ~/.m2
key: yetus-m2-${{ hashFiles('**/pom.xml') }}
@@ -60,7 +60,7 @@ jobs:
--tests-filter=checkstyle,javadoc,rubocop,test4tests
- name: Artifact output
if: ${{ always() }}
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: apacheyetuspatchdir
path: ${{ github.workspace }}/out
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e138a651..1190222d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,7 +16,7 @@
---
buretoolbox-job:
- image: apache/yetus:main
+ image: ghcr.io/apache/yetus:main
allow_failure: true
script:
- >
diff --git a/.travis.yml b/.travis.yml
index 022ed61d..b923a834 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -32,7 +32,7 @@ script:
--patch-dir=/tmp/yetus-out
--java-home=/usr/lib/jvm/java-11-openjdk-amd64
--plugins=all,-detsecrets
- --docker-cache-from=apache/yetus:main
+ --docker-cache-from=ghcr.io/apache/yetus:main
--html-report-file=/tmp/yetus-out/report.html
--console-report-file=/tmp/yetus-out/console.txt
--brief-report-file=/tmp/yetus-out/brief.txt
diff --git a/asf-site-src/source/documentation/in-progress/precommit/robots/githubactions.html.md b/asf-site-src/source/documentation/in-progress/precommit/robots/githubactions.html.md
index adf3b55c..fc7e8b5a 100644
--- a/asf-site-src/source/documentation/in-progress/precommit/robots/githubactions.html.md
+++ b/asf-site-src/source/documentation/in-progress/precommit/robots/githubactions.html.md
@@ -44,7 +44,7 @@ jobs:
steps:
- name: checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
with:
path: src
fetch-depth: 0
@@ -57,7 +57,7 @@ jobs:
githubtoken: ${{ secrets.GITHUB_TOKEN }}
- name: Artifact output
if: ${{ always() }}
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@v3
with:
name: apacheyetuspatchdir
path: ${{ github.workspace }}/out
diff --git a/precommit/src/main/shell/core.d/00-yetuslib.sh b/precommit/src/main/shell/core.d/00-yetuslib.sh
index 5d940062..acd93187 100755
--- a/precommit/src/main/shell/core.d/00-yetuslib.sh
+++ b/precommit/src/main/shell/core.d/00-yetuslib.sh
@@ -528,3 +528,84 @@ function yetus_set_trap_handler
trap "${func} ${signal}" "${signal}"
done
}
+
+## @description Determine if running in a container
+## @audience public
+## @stability evolving
+## @replaceable no
+function yetus_is_container
+{
+ declare mounts
+ declare cgroups
+
+ # shortcut logic
+ if [[ -n "${YETUS_CONTAINER_STATE}" ]]; then
+ if [[ "${YETUS_CONTAINER_STATE}" == "true" ]]; then
+ return 0
+ fi
+ return 1
+ fi
+
+ # NOTE: there is no official 'is this a container?' API
+ # as of this writing that works 100%. In fact, there are
+ # no APIs at all that could be considered stable. So this
+ # function basically performs some guesswork based upon
+ # some common things.
+
+ # Docker creates this file but it isn't guaranteed by
+ # them.
+ if [[ -f /.dockerenv ]]; then
+ YETUS_CONTAINER_STATE=true
+ return 0
+ fi
+
+ # LXC and others sets the container env var to be
+ # something.
+ if [[ -n "${container}" ]]; then
+ YETUS_CONTAINER_STATE=true
+ return 0
+ fi
+
+ #
+ # docker and lxc will tend to mount things onto /docker or /containers
+ # (depending upon OS, version involved, etc)
+ #
+ if [[ -d /proc/self/mountinfo ]]; then
+ mounts=$(awk '$4 ~ /^\/docker/ {print $1}' /proc/self/mountinfo)
+ if [[ -n "${mounts}" ]]; then
+ YETUS_CONTAINER_STATE=true
+ return 0
+ fi
+ fi
+
+ if [[ -d /proc/self/mountinfo ]]; then
+ mounts=$(awk '$4 ~ /^\/container/ {print $1}' /proc/self/mountinfo)
+ if [[ -n "${mounts}" ]]; then
+ YETUS_CONTAINER_STATE=true
+ return 0
+ fi
+ fi
+
+ #
+ # docker and lxc will tend to create docker or lxc cgroups,
+ # depending upon the OS configuration
+ #
+ if [[ -d /proc/self/cgroup ]]; then
+ cgroups=$(awk '$4 ~ /docker/ {print $1}' /proc/self/cgroup)
+ if [[ -n "${cgroups}" ]]; then
+ YETUS_CONTAINER_STATE=true
+ return 0
+ fi
+ fi
+
+ if [[ -d /proc/self/cgroup ]]; then
+ cgroups=$(awk '$4 ~ /lxc/ {print $1}' /proc/self/cgroup )
+ if [[ -n "${cgroups}" ]]; then
+ YETUS_CONTAINER_STATE=true
+ return 0
+ fi
+ fi
+
+ YETUS_CONTAINER_STATE=false
+ return 1
+}
diff --git a/precommit/src/main/shell/core.d/01-common.sh b/precommit/src/main/shell/core.d/01-common.sh
index d130866e..caa5869c 100755
--- a/precommit/src/main/shell/core.d/01-common.sh
+++ b/precommit/src/main/shell/core.d/01-common.sh
@@ -303,6 +303,28 @@ function common_args
USER_PLUGIN_DIR="${BASEDIR}/.yetus/plugins.d"
}
+## @description Check BASEDIR is a git repo
+## @description and set some git settings
+## @audience private
+## @stability evolving
+## @replaceable no
+## @return May exit on failure
+function check_basedir_repo
+{
+ if [[ ! -e "${BASEDIR}/.git" ]]; then
+ yetus_error "ERROR: ${BASEDIR} is not a git repo."
+ cleanup_and_exit 1
+ fi
+
+ if yetus_is_container; then
+ GIT_DIR="${BASEDIR}/.git"
+ export GIT_DIR
+
+ GIT_CEILING_DIRECTORIES="${BASEDIR}"
+ export GIT_CEILING_DIRECTORIES
+ fi
+}
+
## @description List all installed plug-ins, regardless of whether
## @description they have been enabled
## @audience public
diff --git a/precommit/src/main/shell/robots.d/cirrusci.sh b/precommit/src/main/shell/robots.d/cirrusci.sh
index cd4b7c09..66f5ddc4 100755
--- a/precommit/src/main/shell/robots.d/cirrusci.sh
+++ b/precommit/src/main/shell/robots.d/cirrusci.sh
@@ -70,6 +70,9 @@ if [[ "${CIRRUS_CI}" == true ]] &&
CONSOLE_USE_BUILD_URL=true
if [[ -d ${BASEDIR}/.git ]]; then
+
+ check_basedir_repo
+
echo "Updating the local git repo to include all branches/tags:"
pushd "${BASEDIR}" >/dev/null || exit 1
"${GIT}" config --replace-all remote.origin.fetch +refs/heads/*:refs/remotes/origin/*
diff --git a/precommit/src/main/shell/robots.d/travisci.sh b/precommit/src/main/shell/robots.d/travisci.sh
index c3b778dd..1945a3bf 100755
--- a/precommit/src/main/shell/robots.d/travisci.sh
+++ b/precommit/src/main/shell/robots.d/travisci.sh
@@ -74,6 +74,9 @@ if [[ "${TRAVIS}" == true ]] &&
CONSOLE_USE_BUILD_URL=true
if [[ -d ${BASEDIR}/.git ]]; then
+
+ check_basedir_repo
+
echo "Updating the local git repo to include all branches/tags:"
pushd "${BASEDIR}" >/dev/null || exit 1
"${GIT}" config --replace-all remote.origin.fetch +refs/heads/*:refs/remotes/origin/*
diff --git a/precommit/src/main/shell/smart-apply-patch.sh b/precommit/src/main/shell/smart-apply-patch.sh
index fb107649..df318327 100755
--- a/precommit/src/main/shell/smart-apply-patch.sh
+++ b/precommit/src/main/shell/smart-apply-patch.sh
@@ -191,6 +191,8 @@ function parse_args
common_args "$@"
+ check_basedir_repo
+
for i in "$@"; do
case ${i} in
--build-tool=*)
diff --git a/precommit/src/main/shell/test-patch.sh b/precommit/src/main/shell/test-patch.sh
index 8be4e83f..952196c3 100755
--- a/precommit/src/main/shell/test-patch.sh
+++ b/precommit/src/main/shell/test-patch.sh
@@ -760,6 +760,8 @@ function parse_args
common_args "$@"
+ check_basedir_repo
+
for i in "$@"; do
case ${i} in
--archive-list=*)
@@ -968,6 +970,10 @@ function parse_args
yetus_add_array_element EXEC_MODES Robot
fi
+ if yetus_is_container; then
+ yetus_add_array_element EXEC_MODES InContainer
+ fi
+
if [[ -n $UNIT_TEST_FILTER_FILE ]]; then
if [[ -f $UNIT_TEST_FILTER_FILE ]]; then
UNIT_TEST_FILTER_FILE=$(yetus_abs "${UNIT_TEST_FILTER_FILE}")
@@ -1171,10 +1177,6 @@ function git_checkout
fi
cd "${BASEDIR}" || cleanup_and_exit 1
- if [[ ! -e .git ]]; then
- yetus_error "ERROR: ${BASEDIR} is not a git repo."
- cleanup_and_exit 1
- fi
if [[ ${RESETREPO} == "true" ]] ; then
@@ -3085,6 +3087,8 @@ function initialize
parse_args "$@"
+ check_basedir_repo
+
importplugins
if [[ -z "${BUILDTOOL}" ]]; then
diff --git a/release/initial-patches.sh b/release/initial-patches.sh
index 42500794..31612fc0 100755
--- a/release/initial-patches.sh
+++ b/release/initial-patches.sh
@@ -89,7 +89,7 @@ docker_run() {
-u "${USER_ID}" \
-e "HOME=${HOME}" \
-w /src \
- "apache/yetus:main" \
+ "ghcr.io/apache/yetus:main" \
"$@"
}