132 lines
4.7 KiB
Bash
132 lines
4.7 KiB
Bash
#!/usr/bin/env bash
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
set -e
|
|
function usage {
|
|
echo "Usage: ${0} [options] [/path/to/some/example.jar:/path/to/another/example/created.jar]"
|
|
echo ""
|
|
echo " accepts a single command line argument with a colon separated list of"
|
|
echo " paths to jars to check. Iterates through each such passed jar and checks"
|
|
echo " all the contained paths to make sure they follow the below constructed"
|
|
echo " safe list."
|
|
echo ""
|
|
echo " --allow-hadoop Include stuff from the Apache Hadoop project in the list"
|
|
echo " of allowed jar contents. default: false"
|
|
echo " --debug print more info to stderr"
|
|
exit 1
|
|
}
|
|
# if no args specified, show usage
|
|
if [ $# -lt 1 ]; then
|
|
usage
|
|
fi
|
|
|
|
# Get arguments
|
|
declare allow_hadoop
|
|
declare debug
|
|
while [ $# -gt 0 ]
|
|
do
|
|
case "$1" in
|
|
--allow-hadoop) shift; allow_hadoop="true";;
|
|
--debug) shift; debug="true";;
|
|
--) shift; break;;
|
|
-*) usage ;;
|
|
*) break;; # terminate while loop
|
|
esac
|
|
done
|
|
|
|
# should still have jars to check.
|
|
if [ $# -lt 1 ]; then
|
|
usage
|
|
fi
|
|
if [ -n "${debug}" ]; then
|
|
echo "[DEBUG] Checking on jars: $*" >&2
|
|
echo "jar command is: $(which jar)" >&2
|
|
echo "grep command is: $(which grep)" >&2
|
|
grep -V >&2 || true
|
|
fi
|
|
|
|
IFS=: read -r -d '' -a artifact_list < <(printf '%s\0' "$1")
|
|
|
|
# we have to allow the directories that lead to the hbase dirs
|
|
allowed_expr="(^org/$|^org/apache/$|^org/apache/hadoop/$"
|
|
# We allow the following things to exist in our client artifacts:
|
|
# * classes in packages that start with org.apache.hadoop.hbase, which by
|
|
# convention should be in a path that looks like org/apache/hadoop/hbase
|
|
allowed_expr+="|^org/apache/hadoop/hbase"
|
|
# * classes in packages that start with org.apache.hbase
|
|
allowed_expr+="|^org/apache/hbase/"
|
|
# * whatever in the "META-INF" directory
|
|
allowed_expr+="|^META-INF/"
|
|
# * the folding tables from jcodings
|
|
allowed_expr+="|^tables/"
|
|
# * contents of hbase-webapps
|
|
allowed_expr+="|^hbase-webapps/"
|
|
# * HBase's default configuration files, which have the form
|
|
# "_module_-default.xml"
|
|
allowed_expr+="|^hbase-default.xml$"
|
|
# public suffix list used by httpcomponents
|
|
allowed_expr+="|^mozilla/$"
|
|
allowed_expr+="|^mozilla/public-suffix-list.txt$"
|
|
# Comes from commons-configuration, not sure if relocatable.
|
|
allowed_expr+="|^digesterRules.xml$"
|
|
allowed_expr+="|^properties.dtd$"
|
|
allowed_expr+="|^PropertyList-1.0.dtd$"
|
|
|
|
|
|
if [ -n "${allow_hadoop}" ]; then
|
|
# * classes in packages that start with org.apache.hadoop, which by
|
|
# convention should be in a path that looks like org/apache/hadoop
|
|
allowed_expr+="|^org/apache/hadoop/"
|
|
# * Hadoop's default configuration files, which have the form
|
|
# "_module_-default.xml"
|
|
allowed_expr+="|^[^-]*-default.xml$"
|
|
# * Hadoop's versioning properties files, which have the form
|
|
# "_module_-version-info.properties"
|
|
allowed_expr+="|^[^-]*-version-info.properties$"
|
|
# * Hadoop's application classloader properties file.
|
|
allowed_expr+="|^org.apache.hadoop.application-classloader.properties$"
|
|
else
|
|
# We have some classes for integrating with the Hadoop Metrics2 system
|
|
# that have to be in a particular package space due to access rules.
|
|
allowed_expr+="|^org/apache/hadoop/metrics2"
|
|
fi
|
|
|
|
|
|
allowed_expr+=")"
|
|
declare -i bad_artifacts=0
|
|
declare -a bad_contents
|
|
for artifact in "${artifact_list[@]}"; do
|
|
bad_contents=($(jar tf "${artifact}" | grep -v -E "${allowed_expr}" || true))
|
|
if [ ${#bad_contents[@]} -gt 0 ]; then
|
|
echo "[ERROR] Found artifact with unexpected contents: '${artifact}'"
|
|
echo " Please check the following and either correct the build or update"
|
|
echo " the allowed list with reasoning."
|
|
echo ""
|
|
for bad_line in "${bad_contents[@]}"; do
|
|
echo " ${bad_line}"
|
|
done
|
|
bad_artifacts=${bad_artifacts}+1
|
|
else
|
|
echo "[INFO] Artifact looks correct: '$(basename "${artifact}")'"
|
|
fi
|
|
done
|
|
|
|
# if there was atleast one bad artifact, exit with failure
|
|
if [ "${bad_artifacts}" -gt 0 ]; then
|
|
exit 1
|
|
fi
|