Last 12 weeks · 0 commits
4 of 6 standards met
This PR fixes a command injection vulnerability in dromedary.py. The original code used shell=True with string concatenation, allowing arbitrary commands to be executed via the -s or -e flags. I have replaced these calls with shell=False and passed arguments as lists to ensure safe execution. The Issue: The script used shell=True and string joining for subprocess calls. This allowed arbitrary command execution via the -s and -e arguments. The Fix: I have updated all subprocess calls to use argument lists and set shell=False. This ensures that user input is treated as literal strings and cannot break out into shell commands. I have verified the fix locally; attack strings are no longer executed by the shell.
While the first section is still mostly true, see the edit for full explanation.* OPAM packages such as the commonly-used crypto/hashing library, , will not generate appropriate rules as it is a virtual library which links in either a C- or OCaml-based implementation. Dependent rules will only depend on and not or , so compilation will fail. conf- packages in OPAM are virtual packages which become available if the corresponding library is present on the host (e.g. conf-sqlite3). But it's not clear how to make these rules work with libraries installed on the host system as everything is relative to the root passed to dromedary.py. EDIT: I did a little more exploration into the Digestif case. It uses what they call a "link trick" to allow the package to offer the interface, while the or packages offer the implementation. This only works if the implementation package appears before** on the compile line. However, in the META files, depends on (not the other way around), and Buck decides to link first, as it is a dependency of those which come later. This breaks the build. A fix is to invert the dependency and make depend on . This seems to work, but I'm not sure there is a trivial way to fix this in the generation scripts.
https://github.com/facebook/ocaml-scripts/blob/25d311341e823e786c7b1b4c8586cf3e41fdca1f/rules.py#L125 Everything is generated as a bytecode-only rule, so native libraries are never honoured. This is due to the line above creating a 1-tuple for some reason, which is evaluated as truthy in the following check: https://github.com/facebook/ocaml-scripts/blob/25d311341e823e786c7b1b4c8586cf3e41fdca1f/rules.py#L151 Simply changing to should be sufficient.
the definition of the OCaml API 'unix' library generated by 'dromedary.py' misses native and bytecode C library data. what 'domedary.py' generates is and what 'dromedary.py' should generate is this means OCaml binaries that use the module fail to link. example link failures can be seen on the test-unix-workflow branch of this ocaml-scripts clone by executing test-unix.yml. see these build logs. the workflow attempts to build the target , a program that calls the function.
Repository: facebook/ocaml-scripts. Description: Set of scripts to help building OCaml projects using buck2. Stars: 8, Forks: 5. Primary language: Python. Languages: Python (98.3%), Shell (1.7%). License: MIT. Open PRs: 1, open issues: 3. Last activity: 1y ago. Community health: 75%. Top contributors: shayne-fletcher, Release-Candidate, facebook-github-bot, amyreese, EmeraldShift.