diff options
| author | Craig Jennings <c@cjennings.net> | 2026-05-20 21:53:58 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-05-20 21:53:58 -0400 |
| commit | cb209a2d01f5c17024738b490c8fa109959b5303 (patch) | |
| tree | f62a37e3b1ee3ffacaf3085676cc213fe8bff0c6 /scripts | |
| parent | c6c7a48b81e5592e1f37947a5532dc202ab701e3 (diff) | |
| download | archsetup-cb209a2d01f5c17024738b490c8fa109959b5303.tar.gz archsetup-cb209a2d01f5c17024738b490c8fa109959b5303.zip | |
fix(installer): guard constructed-path rm -rf deletes
Three rm -rf sites in archsetup delete paths built from variables: $state_dir for --fresh, and $source_dir/$prog_name for the git and AUR clone-retry cleanups. If a path variable were empty or malformed (preflight skipped, a degenerate git URL), the delete could expand to a top-level or otherwise unintended directory.
I added a safe_rm_rf <path> <allowed_prefix> helper that refuses to run unless the target is absolute, free of '..', deeper than a bare top-level dir, strictly inside the allowed prefix, and a real directory rather than a symlink. On the happy path it delegates to rm -rf, so successful installs are unchanged. The helper is self-contained and defined before the top-level --fresh handler, which runs before the logging helpers exist.
I covered the guard with unit tests under tests/safe-rm-rf/ that source the real function and exercise normal, boundary, and error cases against temp directories.
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions