From f48583c57edf673ad1f141caaf1c5375e022da99 Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Tue, 16 Feb 2021 13:31:18 -0500 Subject: [PATCH 1/2] github/getter: Adds a hostname check to Get function This change adds a simple hostname validation check to validate that a plugins source address is github.com before continuing with the Get call. An issue was encountered when using a hostname different from github.com, where the getter would continue to pull a plugin from GitHub even if the hostname was something like "example.com". See log details below. Before change ``` 2021/02/16 12:49:41 [TRACE] fetching checksums file for the "0.0.2" version of the example.com/hashicorp/docker plugin in "/home/wilken/.packer.d/plugins/example.com/hashicorp/docker"... 2021/02/16 12:49:41 [DEBUG] github-getter: getting "https://github.com/hashicorp/packer-plugin-docker/releases/download/v0.0.2/packer-plugin-docker_v0.0.2_SHA256SUMS" 2021/02/16 12:49:42 [TRACE] Ignoring remote binary packer-plugin-docker_v0.0.2_x5.0_linux_arm64.zip, wrong system, expected 2021/02/16 12:49:42 [TRACE] About to get: packer-plugin-docker_v0.0.2_x5.0_linux_amd64.zip 2021/02/16 12:49:42 [DEBUG] github-getter: getting "https://github.com/hashicorp/packer-plugin-docker/releases/download/v0.0.2/packer-plugin-docker_v0.0.2_x5.0_linux_amd64.zip" ``` After change ``` 2021/02/16 13:36:32 [TRACE] for plugin example.com/hashicorp/docker found 0 matching installation(s) 2021/02/16 13:36:32 [TRACE] getting available versions for the the example.com/hashicorp/docker plugin 2021/02/16 13:36:32 [TRACE] &{%!q(*github.Client=) "packer-getter-github-1.7.0-dev"} getter could not get release: example.com/hashicorp/docker doesn't appear to be a valid github.com source address; check source and try again. 2021/02/16 13:36:32 [DEBUG] will try to install: [] 2021/02/16 13:36:32 [INFO] (telemetry) Finalizing. no release version found for the example.com/hashicorp/docker plugin matching the constraint(s): ">=v0.0.2" 2021/02/16 13:36:32 waiting for all plugin processes to complete... ``` --- packer/plugin-getter/github/getter.go | 6 ++++++ packer/plugin-getter/plugins.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/packer/plugin-getter/github/getter.go b/packer/plugin-getter/github/getter.go index c34e092a8..c33c55d77 100644 --- a/packer/plugin-getter/github/getter.go +++ b/packer/plugin-getter/github/getter.go @@ -23,6 +23,7 @@ import ( const ( ghTokenAccessor = "PACKER_GITHUB_API_TOKEN" defaultUserAgent = "packer-plugin-getter" + defaultHostname = "github.com" ) type Getter struct { @@ -154,6 +155,11 @@ func (t *HostSpecificTokenAuthTransport) base() http.RoundTripper { } func (g *Getter) Get(what string, opts plugingetter.GetOptions) (io.ReadCloser, error) { + if opts.PluginRequirement.Identifier.Hostname != defaultHostname { + s := opts.PluginRequirement.Identifier.String() + " doesn't appear to be a valid " + defaultHostname + " source address; check source and try again." + return nil, errors.New(s) + } + ctx := context.TODO() if g.Client == nil { var tc *http.Client diff --git a/packer/plugin-getter/plugins.go b/packer/plugin-getter/plugins.go index 9dd670741..9595b67a0 100644 --- a/packer/plugin-getter/plugins.go +++ b/packer/plugin-getter/plugins.go @@ -345,7 +345,7 @@ func (pr *Requirement) InstallLatest(opts InstallOptions) (*Installation, error) getters := opts.Getters fail := fmt.Errorf("could not find a local nor a remote checksum for plugin %q %q", pr.Identifier, pr.VersionConstraints) - log.Printf("[TRACE] getting available versions for the the %s plugin", pr.Identifier) + log.Printf("[TRACE] getting available versions for the %s plugin", pr.Identifier) versions := version.Collection{} for _, getter := range getters { From 728c5a217dae1fa75a9d09a8328dfa1eedbd6f3b Mon Sep 17 00:00:00 2001 From: Wilken Rivera Date: Tue, 16 Feb 2021 14:03:29 -0500 Subject: [PATCH 2/2] Add test case for non-github hostname Tests results on current branch; install succeeded which was not expected ``` 2021/02/16 14:02:24 ui: Installed plugin example.com/sylviamoss/comment v0.2.19 in "/tmp/pkr-test-cfg-dir-6_pkr_config458005728/example.com/sylviamoss/comment/packer-plugin-comment_v0.2.19_x5.0_linux_amd64" init_test.go:361: InitCommand.Run() = 0, want 1 init_test.go:381: unexpected dir hash after init: string( - "h1:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=", + "h1:iVtzkl/nVm2KiLvlz8rH56ME8QEqRxq8+XT2Lo6bzGU=", ) --- FAIL: TestInitCommand_Run (6.39s) --- PASS: TestInitCommand_Run/already-installed-no-op (0.01s) --- PASS: TestInitCommand_Run/already-installed-no-op/-subtest-0 (0.00s) --- PASS: TestInitCommand_Run/already-installed-upgrade (2.30s) --- PASS: TestInitCommand_Run/already-installed-upgrade/-subtest-0 (0.06s) --- PASS: TestInitCommand_Run/release-with-no-binary (0.17s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-works (1.32s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-works/-subtest-0 (0.01s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-old-api-fails (1.42s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-old-api-fails/-subtest-0 (0.01s) --- FAIL: TestInitCommand_Run/unsupported-non-github-source-address (1.18s) ``` Tests results after change with change in this branch ``` 2021/02/16 14:03:14 [TRACE] getting available versions for the example.com/sylviamoss/comment plugin 2021/02/16 14:03:14 [TRACE] &{%!q(*github.Client=) "packer-getter-github-1.7.0-dev"} getter could not get release: example.com/sylviamoss/comment doesn't appear to be a valid github.com source address; check source and try again. 2021/02/16 14:03:14 [DEBUG] will try to install: [] 2021/02/16 14:03:14 ui error: no release version found for the example.com/sylviamoss/comment plugin matching the constraint(s): "v0.2.19" --- PASS: TestInitCommand_Run (5.38s) --- PASS: TestInitCommand_Run/already-installed-no-op (0.01s) --- PASS: TestInitCommand_Run/already-installed-no-op/-subtest-0 (0.00s) --- PASS: TestInitCommand_Run/already-installed-upgrade (2.08s) --- PASS: TestInitCommand_Run/already-installed-upgrade/-subtest-0 (0.07s) --- PASS: TestInitCommand_Run/release-with-no-binary (0.21s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-works (1.20s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-works/-subtest-0 (0.01s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-old-api-fails (1.88s) --- PASS: TestInitCommand_Run/manually-installed-single-component-plugin-old-api-fails/-subtest-0 (0.01s) --- PASS: TestInitCommand_Run/unsupported-non-github-source-address (0.00s) ``` --- command/init_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/command/init_test.go b/command/init_test.go index 0b86379c7..6a44bc620 100644 --- a/command/init_test.go +++ b/command/init_test.go @@ -291,6 +291,32 @@ func TestInitCommand_Run(t *testing.T) { testBuild{want: 1}.fn, }, }, + { + "unsupported-non-github-source-address", + []func(t *testing.T, tc testCaseInit){ + skipInitTestUnlessEnVar(acctest.TestEnvVar).fn, + }, + testMetaFile(t), + nil, + "h1:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=", + map[string]string{ + `cfg.pkr.hcl`: ` + packer { + required_plugins { + comment = { + source = "example.com/sylviamoss/comment" + version = "v0.2.19" + } + } + }`, + }, + cfg.dir("6_pkr_config"), + cfg.dir("6_pkr_user_folder"), + 1, + nil, + "h1:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=", + nil, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {