Skip to content

Commit

Permalink
Merge pull request from GHSA-vrxp-mg9f-hwf3
Browse files Browse the repository at this point in the history
Fix handling of wildcards and relative paths
  • Loading branch information
adityasaky authored Sep 21, 2021
2 parents 2351e0f + 6eaf706 commit f2c57d1
Show file tree
Hide file tree
Showing 5 changed files with 682 additions and 181 deletions.
228 changes: 228 additions & 0 deletions in_toto/match.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,228 @@
// Copyright 2010 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found at https://golang.org/LICENSE.

// this is a modified version of path.Match that removes handling of path separators

package in_toto

import (
"errors"
"unicode/utf8"
)

// errBadPattern indicates a pattern was malformed.
var errBadPattern = errors.New("syntax error in pattern")

// match reports whether name matches the shell pattern.
// The pattern syntax is:
//
// pattern:
// { term }
// term:
// '*' matches any sequence of non-/ characters
// '?' matches any single non-/ character
// '[' [ '^' ] { character-range } ']'
// character class (must be non-empty)
// c matches character c (c != '*', '?', '\\', '[')
// '\\' c matches character c
//
// character-range:
// c matches character c (c != '\\', '-', ']')
// '\\' c matches character c
// lo '-' hi matches character c for lo <= c <= hi
//
// Match requires pattern to match all of name, not just a substring.
// The only possible returned error is ErrBadPattern, when pattern
// is malformed.
//
func match(pattern, name string) (matched bool, err error) {
Pattern:
for len(pattern) > 0 {
var star bool
var chunk string
star, chunk, pattern = scanChunk(pattern)
if star && chunk == "" {
// Trailing * matches everything
return true, nil
}
// Look for match at current position.
t, ok, err := matchChunk(chunk, name)
// if we're the last chunk, make sure we've exhausted the name
// otherwise we'll give a false result even if we could still match
// using the star
if ok && (len(t) == 0 || len(pattern) > 0) {
name = t
continue
}
if err != nil {
return false, err
}
if star {
// Look for match skipping i+1 bytes.
for i := 0; i < len(name); i++ {
t, ok, err := matchChunk(chunk, name[i+1:])
if ok {
// if we're the last chunk, make sure we exhausted the name
if len(pattern) == 0 && len(t) > 0 {
continue
}
name = t
continue Pattern
}
if err != nil {
return false, err
}
}
}
// Before returning false with no error,
// check that the remainder of the pattern is syntactically valid.
for len(pattern) > 0 {
_, chunk, pattern = scanChunk(pattern)
if _, _, err := matchChunk(chunk, ""); err != nil {
return false, err
}
}
return false, nil
}
return len(name) == 0, nil
}

// scanChunk gets the next segment of pattern, which is a non-star string
// possibly preceded by a star.
func scanChunk(pattern string) (star bool, chunk, rest string) {
for len(pattern) > 0 && pattern[0] == '*' {
pattern = pattern[1:]
star = true
}
inrange := false
var i int
Scan:
for i = 0; i < len(pattern); i++ {
switch pattern[i] {
case '\\':
// error check handled in matchChunk: bad pattern.
if i+1 < len(pattern) {
i++
}
case '[':
inrange = true
case ']':
inrange = false
case '*':
if !inrange {
break Scan
}
}
}
return star, pattern[0:i], pattern[i:]
}

// matchChunk checks whether chunk matches the beginning of s.
// If so, it returns the remainder of s (after the match).
// Chunk is all single-character operators: literals, char classes, and ?.
func matchChunk(chunk, s string) (rest string, ok bool, err error) {
// failed records whether the match has failed.
// After the match fails, the loop continues on processing chunk,
// checking that the pattern is well-formed but no longer reading s.
failed := false
for len(chunk) > 0 {
if !failed && len(s) == 0 {
failed = true
}
switch chunk[0] {
case '[':
// character class
var r rune
if !failed {
var n int
r, n = utf8.DecodeRuneInString(s)
s = s[n:]
}
chunk = chunk[1:]
// possibly negated
negated := false
if len(chunk) > 0 && chunk[0] == '^' {
negated = true
chunk = chunk[1:]
}
// parse all ranges
match := false
nrange := 0
for {
if len(chunk) > 0 && chunk[0] == ']' && nrange > 0 {
chunk = chunk[1:]
break
}
var lo, hi rune
if lo, chunk, err = getEsc(chunk); err != nil {
return "", false, err
}
hi = lo
if chunk[0] == '-' {
if hi, chunk, err = getEsc(chunk[1:]); err != nil {
return "", false, err
}
}
if lo <= r && r <= hi {
match = true
}
nrange++
}
if match == negated {
failed = true
}

case '?':
if !failed {
_, n := utf8.DecodeRuneInString(s)
s = s[n:]
}
chunk = chunk[1:]

case '\\':
chunk = chunk[1:]
if len(chunk) == 0 {
return "", false, errBadPattern
}
fallthrough

default:
if !failed {
if chunk[0] != s[0] {
failed = true
}
s = s[1:]
}
chunk = chunk[1:]
}
}
if failed {
return "", false, nil
}
return s, true, nil
}

// getEsc gets a possibly-escaped character from chunk, for a character class.
func getEsc(chunk string) (r rune, nchunk string, err error) {
if len(chunk) == 0 || chunk[0] == '-' || chunk[0] == ']' {
err = errBadPattern
return
}
if chunk[0] == '\\' {
chunk = chunk[1:]
if len(chunk) == 0 {
err = errBadPattern
return
}
}
r, n := utf8.DecodeRuneInString(chunk)
if r == utf8.RuneError && n == 1 {
err = errBadPattern
}
nchunk = chunk[n:]
if len(nchunk) == 0 {
err = errBadPattern
}
return
}
85 changes: 85 additions & 0 deletions in_toto/match_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found at https://golang.org/LICENSE.

// this is a modified version of path.Match that removes handling of path separators

package in_toto

import "testing"

type MatchTest struct {
pattern, s string
match bool
err error
}

var matchTests = []MatchTest{
{"*", "foo/bar", true, nil},
{"abc", "abc", true, nil},
{"*", "abc", true, nil},
{"*c", "abc", true, nil},
{"a*", "a", true, nil},
{"a*", "abc", true, nil},
{"a*", "ab/c", true, nil},
{"a*/b", "abc/b", true, nil},
{"a*/b", "a/c/b", true, nil},
{"a*b*c*d*e*/f", "axbxcxdxe/f", true, nil},
{"a*b*c*d*e*/f", "axbxcxdxexxx/f", true, nil},
{"a*b*c*d*e*/f", "axbxcxdxe/xxx/f", true, nil},
{"a*b*c*d*e*/f", "axbxcxdxexxx/fff", false, nil},
{"a*b?c*x", "abxbbxdbxebxczzx", true, nil},
{"a*b?c*x", "abxbbxdbxebxczzy", false, nil},
{"ab[c]", "abc", true, nil},
{"ab[b-d]", "abc", true, nil},
{"ab[e-g]", "abc", false, nil},
{"ab[^c]", "abc", false, nil},
{"ab[^b-d]", "abc", false, nil},
{"ab[^e-g]", "abc", true, nil},
{"a\\*b", "a*b", true, nil},
{"a\\*b", "ab", false, nil},
{"a?b", "a☺b", true, nil},
{"a[^a]b", "a☺b", true, nil},
{"a???b", "a☺b", false, nil},
{"a[^a][^a][^a]b", "a☺b", false, nil},
{"[a-ζ]*", "α", true, nil},
{"*[a-ζ]", "A", false, nil},
{"a?b", "a/b", true, nil},
{"a*b", "a/b", true, nil},
{"[\\]a]", "]", true, nil},
{"[\\-]", "-", true, nil},
{"[x\\-]", "x", true, nil},
{"[x\\-]", "-", true, nil},
{"[x\\-]", "z", false, nil},
{"[\\-x]", "x", true, nil},
{"[\\-x]", "-", true, nil},
{"[\\-x]", "a", false, nil},
{"[]a]", "]", false, errBadPattern},
{"[-]", "-", false, errBadPattern},
{"[x-]", "x", false, errBadPattern},
{"[x-]", "-", false, errBadPattern},
{"[x-]", "z", false, errBadPattern},
{"[-x]", "x", false, errBadPattern},
{"[-x]", "-", false, errBadPattern},
{"[-x]", "a", false, errBadPattern},
{"\\", "a", false, errBadPattern},
{"[a-b-c]", "a", false, errBadPattern},
{"[", "a", false, errBadPattern},
{"[^", "a", false, errBadPattern},
{"[^bc", "a", false, errBadPattern},
{"a[", "a", false, errBadPattern},
{"a[", "ab", false, errBadPattern},
{"a[", "x", false, errBadPattern},
{"a/b[", "x", false, errBadPattern},
{"a[\\", "x", false, errBadPattern},
{"*x", "xxx", true, nil},
}

func TestMatch(t *testing.T) {
for _, tt := range matchTests {
ok, err := match(tt.pattern, tt.s)
if ok != tt.match || err != tt.err {
t.Errorf("Match(%#q, %#q) = %v, %v want %v, %v", tt.pattern, tt.s, ok, err, tt.match, tt.err)
}
}
}
3 changes: 1 addition & 2 deletions in_toto/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package in_toto

import (
"fmt"
"path/filepath"
)

/*
Expand Down Expand Up @@ -89,7 +88,7 @@ non-match plus a warning is printed.
func (s Set) Filter(pattern string) Set {
res := NewSet()
for elem := range s {
matched, err := filepath.Match(pattern, elem)
matched, err := match(pattern, elem)
if err != nil {
fmt.Printf("WARNING: %s, pattern was '%s'\n", err, pattern)
continue
Expand Down
Loading

0 comments on commit f2c57d1

Please sign in to comment.