summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2019-09-28 14:30:19 +0200
committerFlorian Pritz <bluewind@xinu.at>2019-09-28 15:25:57 +0200
commit2283a5a231b301b01f3c43a20853b4ee41a5582c (patch)
treec1d449356a37f29551ff85c09d0bb48f4b748985
parent4eaf6823cbf2c2d332b317e6f6f755b23b6a1d1f (diff)
downloadApp-BorgRestore-2283a5a231b301b01f3c43a20853b4ee41a5582c.tar.gz
App-BorgRestore-2283a5a231b301b01f3c43a20853b4ee41a5582c.tar.xz
Helper: Remove untaint_archive_name
We no longer need a special whitelist for archive names since the database no longer uses them as column keys. We still need to untaint variables that are passed to DBI so we use untaint() for this now. We also move the location of the untaint call closer to its usage with DBI/system() to prevent untainted data from leaking elsewhere. Fixes #4 Signed-off-by: Florian Pritz <bluewind@xinu.at>
-rw-r--r--Changes2
-rw-r--r--lib/App/BorgRestore.pm3
-rw-r--r--lib/App/BorgRestore/Borg.pm1
-rw-r--r--lib/App/BorgRestore/DB.pm8
-rw-r--r--lib/App/BorgRestore/Helper.pm4
-rw-r--r--t/helper/untaint.t19
6 files changed, 6 insertions, 31 deletions
diff --git a/Changes b/Changes
index 9bb5022..eeb4d3b 100644
--- a/Changes
+++ b/Changes
@@ -1,6 +1,8 @@
Revision history for Perl extension App-BorgRestore
{{$NEXT}}
+ - Remove archive name untaint restrictions (remove untaint_archive_name
+ function)
3.3.0 2019-02-07T16:18:41Z
- Support borg list's --prefix option via $borg_prefix setting
diff --git a/lib/App/BorgRestore.pm b/lib/App/BorgRestore.pm
index afbe918..2ae0a09 100644
--- a/lib/App/BorgRestore.pm
+++ b/lib/App/BorgRestore.pm
@@ -329,7 +329,6 @@ process during method execution since this is required by C<`borg extract`>.
method restore($path, $archive, $destination) {
$destination = App::BorgRestore::Helper::untaint($destination, qr(.*));
$path = App::BorgRestore::Helper::untaint($path, qr(.*));
- my $archive_name = App::BorgRestore::Helper::untaint_archive_name($archive->{archive});
$log->infof("Restoring %s to %s from archive %s", $path, $destination, $archive->{archive});
@@ -346,7 +345,7 @@ method restore($path, $archive, $destination) {
$final_destination = App::BorgRestore::Helper::untaint($final_destination, qr(.*));
$log->debugf("Removing %s", $final_destination);
File::Path::remove_tree($final_destination);
- $self->{deps}->{borg}->restore($components_to_strip, $archive_name, $path);
+ $self->{deps}->{borg}->restore($components_to_strip, $archive->{archive}, $path);
}
$log->debugf("CWD is %s", getcwd());
}
diff --git a/lib/App/BorgRestore/Borg.pm b/lib/App/BorgRestore/Borg.pm
index def6b9c..24c0608 100644
--- a/lib/App/BorgRestore/Borg.pm
+++ b/lib/App/BorgRestore/Borg.pm
@@ -116,6 +116,7 @@ method borg_list_time() {
method restore($components_to_strip, $archive_name, $path) {
$log->debugf("Restoring '%s' from archive %s, stripping %d components of the path", $path, $archive_name, $components_to_strip);
+ $archive_name = App::BorgRestore::Helper::untaint($archive_name, qr(.*));
system(qw(borg extract -v --strip-components), $components_to_strip, $self->{borg_repo}."::".$archive_name, $path);
}
diff --git a/lib/App/BorgRestore/DB.pm b/lib/App/BorgRestore/DB.pm
index fe85c4d..cb51ce1 100644
--- a/lib/App/BorgRestore/DB.pm
+++ b/lib/App/BorgRestore/DB.pm
@@ -125,10 +125,8 @@ method get_archive_row_count() {
}
method add_archive_name($archive) {
- $archive = App::BorgRestore::Helper::untaint_archive_name($archive);
-
my $st = $self->{dbh}->prepare('insert into `archives` (`archive_name`) values (?);');
- $st->execute($archive);
+ $st->execute(App::BorgRestore::Helper::untaint($archive, qr(.*)));
$self->_add_column_to_table("files", $archive);
}
@@ -139,8 +137,6 @@ method _add_column_to_table($table, $column) {
}
method remove_archive($archive) {
- $archive = App::BorgRestore::Helper::untaint_archive_name($archive);
-
my $archive_id = $self->get_archive_id($archive);
my @keep_archives = grep {$_ ne $archive;} @{$self->get_archive_names()};
@@ -172,7 +168,7 @@ method remove_archive($archive) {
}
my $st = $self->{dbh}->prepare('delete from `archives` where `archive_name` = ?;');
- $st->execute($archive);
+ $st->execute(App::BorgRestore::Helper::untaint($archive, qr(.*)));
}
method get_archive_id($archive) {
diff --git a/lib/App/BorgRestore/Helper.pm b/lib/App/BorgRestore/Helper.pm
index 869d4ee..7df250d 100644
--- a/lib/App/BorgRestore/Helper.pm
+++ b/lib/App/BorgRestore/Helper.pm
@@ -23,10 +23,6 @@ fun untaint($data, $regex) {
return $1;
}
-fun untaint_archive_name($archive) {
- return untaint($archive, qr([a-zA-Z0-9-:+\.]+));
-}
-
fun format_timestamp($timestamp) {
return POSIX::strftime "%a. %F %H:%M:%S %z", localtime $timestamp;
}
diff --git a/t/helper/untaint.t b/t/helper/untaint.t
deleted file mode 100644
index 0c2e36a..0000000
--- a/t/helper/untaint.t
+++ /dev/null
@@ -1,19 +0,0 @@
-use strictures 2;
-
-use Log::Any::Adapter ('TAP');
-use Test::More;
-use Test::Exception;
-
-use App::BorgRestore::Helper;
-
-ok(App::BorgRestore::Helper::untaint_archive_name('abc-1234:5+1') eq 'abc-1234:5+1');
-ok(App::BorgRestore::Helper::untaint_archive_name('abc') eq 'abc');
-ok(App::BorgRestore::Helper::untaint_archive_name('root-2016-09-30T15+02:00.checkpoint') eq 'root-2016-09-30T15+02:00.checkpoint');
-
-dies_ok(sub{App::BorgRestore::Helper::untaint_archive_name('abc`"\'')}, 'special chars not allowed');
-dies_ok(sub{App::BorgRestore::Helper::untaint_archive_name('abc`')}, 'special chars not allowed');
-dies_ok(sub{App::BorgRestore::Helper::untaint_archive_name('abc"')}, 'special chars not allowed');
-dies_ok(sub{App::BorgRestore::Helper::untaint_archive_name('abc\'')}, 'special chars not allowed');
-
-
-done_testing;