Index: trunk/packages/invirt-dev/python/invirt/builder.py =================================================================== --- trunk/packages/invirt-dev/python/invirt/builder.py (revision 2834) +++ trunk/packages/invirt-dev/python/invirt/builder.py (revision 3028) @@ -29,4 +29,17 @@ return os.path.join(_REPO_DIR, 'invirt/packages', '%s.git' % package) +def ensureValidRepo(package): + """Perform some basic sanity checks that the requested repo is in a + subdirectory of _REPO_DIR/invirt/packages. This prevents weirdness + such as submitting a package like '../prod/...git'. Also ensures that + the repo exists.""" + # TODO: this might be easier just to regex + repo = os.path.abspath(getRepo(package)) + parent_dir = os.path.dirname(repo) + prefix = os.path.join(_REPO_DIR, 'invirt/packages') + if not parent_dir.startswith(prefix): + raise InvalidBuild('Invalid package name %s' % package) + elif not os.path.exists(repo): + raise InvalidBuild('Nonexisting package %s' % package) def pocketToGit(pocket): @@ -43,5 +56,5 @@ """Return the contents of a path from a git ref in a package.""" return c.captureOutput(['git', 'cat-file', 'blob', '%s:%s' % (ref, path)], - cwd=getRepo(package)) + cwd=getRepo(package)) @@ -86,4 +99,5 @@ it returns True. """ + ensureValidRepo(package) package_repo = getRepo(package) new_version = getVersion(package, commit) @@ -97,5 +111,5 @@ b = pocketToGit(p) current_commit = c.captureOutput(['git', 'rev-parse', b], - cwd=package_repo) + cwd=package_repo).strip() current_version = getVersion(package, b) @@ -104,9 +118,9 @@ ret = p else: - raise InvalidBuild('Version %s of %s already available in ' + raise InvalidBuild('Version %s of %s already available is in ' 'pocket %s from commit %s' % (new_version, package, p, current_commit)) - if config.build.pockets[pocket].get('allow_backtracking', False): + if not config.build.pockets[pocket].get('allow_backtracking', False): branch = pocketToGit(pocket) current_version = getVersion(package, branch)