internal/cmd/update.go: check path prefixes

johnstcn · johnstcn · commit bdb998ec3996 · 2021-08-13T15:20:21.000Z
diff --git a/internal/cmd/update.go b/internal/cmd/update.go
@@ -14,7 +14,9 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"os/exec"
 	"path"
+	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
@@ -32,7 +34,8 @@ import (
 
 // updater updates coder-cli.
 type updater struct {
-	confirmF       func(label string) (string, error)
+	confirmF       func(string) (string, error)
+	execF          func(context.Context, string, ...string) ([]byte, error)
 	executablePath string
 	fs             afero.Fs
 	httpClient     getter
@@ -63,6 +66,7 @@ func updateCmd() *cobra.Command {
 
 			updater := &updater{
 				confirmF:       defaultConfirm,
+				execF:          defaultExec,
 				executablePath: currExe,
 				httpClient:     httpClient,
 				fs:             afero.NewOsFs(),
@@ -84,9 +88,27 @@ type getter interface {
 }
 
 func (u *updater) Run(ctx context.Context, force bool, coderURLString string) error {
-	// TODO: check under following directories and warn if coder binary is under them:
+	// Check under following directories and warn if coder binary is under them:
+	//   * C:\Windows\
 	//   * homebrew prefix
-	//   * coder assets root (env CODER_ASSETS_ROOT)
+	//   * coder assets root (/var/tmp/coder)
+	var pathBlockList = []string{
+		`C:\Windows\`,
+		`/var/tmp/coder`,
+	}
+	brewPrefixCmd, err := u.execF(ctx, "brew", "--prefix")
+	if err == nil { // ignore errors if homebrew not installed
+		pathBlockList = append(pathBlockList, strings.TrimSpace(string(brewPrefixCmd)))
+	}
+
+	for _, prefix := range pathBlockList {
+		if HasFilePathPrefix(u.executablePath, prefix) {
+			return clog.Fatal(
+				"cowardly refusing to update coder binary",
+				clog.BlankLine,
+				clog.Causef("executable path %q is under blocklisted prefix %q", u.executablePath, prefix))
+		}
+	}
 
 	currentBinaryStat, err := u.fs.Stat(u.executablePath)
 	if err != nil {
@@ -312,7 +334,7 @@ func getCoderConfigURL() (*url.URL, error) {
 }
 
 // XXX: coder.Client requires an API key, but we may not be logged into the coder instance for which we
-// want to determine the version. We don't need an API key to sniff the version header.
+// want to determine the version. We don't need an API key to hit /api/private/version though.
 func getAPIVersionUnauthed(client getter, baseURL url.URL) (*semver.Version, error) {
 	baseURL.Path = path.Join(baseURL.Path, "/api/private/version")
 	resp, err := client.Get(baseURL.String())
@@ -341,3 +363,33 @@ func getAPIVersionUnauthed(client getter, baseURL url.URL) (*semver.Version, err
 
 	return version, nil
 }
+
+// HasFilePathPrefix reports whether the filesystem path s
+// begins with the elements in prefix.
+// Lifted from github.com/golang/go/blob/master/src/cmd/internal/str/path.go
+func HasFilePathPrefix(s, prefix string) bool {
+	sv := strings.ToUpper(filepath.VolumeName(s))
+	pv := strings.ToUpper(filepath.VolumeName(prefix))
+	s = s[len(sv):]
+	prefix = prefix[len(pv):]
+	switch {
+	default:
+		return false
+	case sv != pv:
+		return false
+	case len(s) == len(prefix):
+		return s == prefix
+	case prefix == "":
+		return true
+	case len(s) > len(prefix):
+		if prefix[len(prefix)-1] == filepath.Separator {
+			return strings.HasPrefix(s, prefix)
+		}
+		return s[len(prefix)] == filepath.Separator && s[:len(prefix)] == prefix
+	}
+}
+
+// defaultExec wraps exec.CommandContext
+func defaultExec(ctx context.Context, cmd string, args ...string) ([]byte, error) {
+	return exec.CommandContext(ctx, cmd, args...).CombinedOutput()
+}
diff --git a/internal/cmd/update_test.go b/internal/cmd/update_test.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -32,7 +33,6 @@ const (
 var (
 	apiPrivateVersionURL = fakeCoderURL + "/api/private/version"
 	fakeNewVersionJson   = fmt.Sprintf(`{"version":%q}`, fakeNewVersion)
-	fakeOldVersionJson   = fmt.Sprintf(`{"version":%q}`, fakeOldVersion)
 )
 
 func Test_updater_run(t *testing.T) {
@@ -42,6 +42,7 @@ func Test_updater_run(t *testing.T) {
 	type params struct {
 		ConfirmF       func(string) (string, error)
 		Ctx            context.Context
+		Execer         *fakeExecer
 		ExecutablePath string
 		Fakefs         afero.Fs
 		HttpClient     *fakeGetter
@@ -53,6 +54,7 @@ func Test_updater_run(t *testing.T) {
 	fromParams := func(p *params) *updater {
 		return &updater{
 			confirmF:       p.ConfirmF,
+			execF:          p.Execer.ExecF,
 			executablePath: p.ExecutablePath,
 			fs:             p.Fakefs,
 			httpClient:     p.HttpClient,
@@ -65,13 +67,16 @@ func Test_updater_run(t *testing.T) {
 		t.Logf("running %s", name)
 		ctx := context.Background()
 		fakefs := afero.NewMemMapFs()
+		execer := newFakeExecer(t)
+		execer.M["brew --prefix"] = fakeExecerResult{[]byte{}, os.ErrNotExist}
 		params := &params{
 			// This must be overridden inside run()
 			ConfirmF: func(string) (string, error) {
 				t.Errorf("unhandled ConfirmF")
 				t.FailNow()
 				return "", nil
 			},
+			Execer:         execer,
 			Ctx:            ctx,
 			ExecutablePath: fakeExePathLinux,
 			Fakefs:         fakefs,
@@ -270,6 +275,43 @@ func Test_updater_run(t *testing.T) {
 		assert.ErrorContains(t, "update coder - read-only fs", err, "failed to create file")
 		assertFileContent(t, p.Fakefs, fakeExePathLinux, fakeOldVersion)
 	})
+
+	if runtime.GOOS == "windows" {
+		run(t, "update coder - path blocklist - windows", func(t *testing.T, p *params) {
+			p.ExecutablePath = `C:\Windows\system32\coder.exe`
+			u := fromParams(p)
+			err := u.Run(p.Ctx, false, fakeCoderURL)
+			assert.ErrorContains(t, "update coder - path blocklist - windows", err, "cowardly refusing to update coder binary")
+		})
+	} else {
+		run(t, "update coder - path blocklist - coder assets dir", func(t *testing.T, p *params) {
+			p.ExecutablePath = `/var/tmp/coder/coder`
+			u := fromParams(p)
+			err := u.Run(p.Ctx, false, fakeCoderURL)
+			assert.ErrorContains(t, "update coder - path blocklist - windows", err, "cowardly refusing to update coder binary")
+		})
+		run(t, "update coder - path blocklist - old homebrew prefix", func(t *testing.T, p *params) {
+			p.Execer.M["brew --prefix"] = fakeExecerResult{[]byte("/usr/local"), nil}
+			p.ExecutablePath = `/usr/local/bin/coder`
+			u := fromParams(p)
+			err := u.Run(p.Ctx, false, fakeCoderURL)
+			assert.ErrorContains(t, "update coder - path blocklist - old homebrew prefix", err, "cowardly refusing to update coder binary")
+		})
+		run(t, "update coder - path blocklist - new homebrew prefix", func(t *testing.T, p *params) {
+			p.Execer.M["brew --prefix"] = fakeExecerResult{[]byte("/opt/homebrew"), nil}
+			p.ExecutablePath = `/opt/homebrew/bin/coder`
+			u := fromParams(p)
+			err := u.Run(p.Ctx, false, fakeCoderURL)
+			assert.ErrorContains(t, "update coder - path blocklist - new homebrew prefix", err, "cowardly refusing to update coder binary")
+		})
+		run(t, "update coder - path blocklist - linuxbrew", func(t *testing.T, p *params) {
+			p.Execer.M["brew --prefix"] = fakeExecerResult{[]byte("/home/user/.linuxbrew"), nil}
+			p.ExecutablePath = `/home/user/.linuxbrew/bin/coder`
+			u := fromParams(p)
+			err := u.Run(p.Ctx, false, fakeCoderURL)
+			assert.ErrorContains(t, "update coder - path blocklist - linuxbrew", err, "cowardly refusing to update coder binary")
+		})
+	}
 }
 
 // fakeGetter mocks HTTP requests
@@ -378,3 +420,31 @@ var fakeValidZipBytes, _ = base64.StdEncoding.DecodeString(`UEsDBAoAAAAAAAtfDVNC
 BOgDAAAE6AMAADEuMjMuNC1yYy41KzY3OC1nYWJjZGVmLTEyMzQ1Njc4UEsBAh4DCgAAAAAAC18N
 U0Ic0MIgAAAAIAAAAAkAGAAAAAAAAQAAAO2BAAAAAGNvZGVyLmV4ZVVUBQAD5l0WYXV4CwABBOgD
 AAAE6AMAAFBLBQYAAAAAAQABAE8AAABjAAAAAAA=`)
+
+type fakeExecer struct {
+	M map[string]fakeExecerResult
+	T *testing.T
+}
+
+func (f *fakeExecer) ExecF(_ context.Context, cmd string, args ...string) ([]byte, error) {
+	cmdAndArgs := strings.Join(append([]string{cmd}, args...), " ")
+	val, ok := f.M[cmdAndArgs]
+	if !ok {
+		f.T.Errorf("unhandled cmd %q", cmd)
+		f.T.FailNow()
+		return nil, nil // will never happen
+	}
+	return val.Output, val.Err
+}
+
+func newFakeExecer(t *testing.T) *fakeExecer {
+	return &fakeExecer{
+		M: make(map[string]fakeExecerResult),
+		T: t,
+	}
+}
+
+type fakeExecerResult struct {
+	Output []byte
+	Err    error
+}
