diff options
| author |   Arthur Zamarin <arthurzam@gentoo.org> | 2024-01-13 11:46:54 +0200 |
|---|---|---|
| committer | Arthur Zamarin <arthurzam@gentoo.org> | 2024-01-14 20:14:37 +0200 |
| commit | 4007f00c7833aae6e455ee1b50d50a7c1d10799f (patch) | |
| tree | 2865e2d98c46d1fd568644b723ef8483bd7d881f /src | |
| parent | Dockerfile: introduce pkgcheck docker on release (diff) | |
| download | pkgcheck-4007f00c7833aae6e455ee1b50d50a7c1d10799f.tar.gz pkgcheck-4007f00c7833aae6e455ee1b50d50a7c1d10799f.tar.bz2 pkgcheck-4007f00c7833aae6e455ee1b50d50a7c1d10799f.zip | |
SandboxCallCheck: new check for invalid sandbox calls
Catches multiple arguments passed to function, and colon separated path.
Resolves: https://github.com/pkgcore/pkgcheck/issues/644
Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/pkgcheck/checks/codingstyle.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/pkgcheck/checks/codingstyle.py b/src/pkgcheck/checks/codingstyle.py index 90cb03b2..67dbe6c1 100644 --- a/src/pkgcheck/checks/codingstyle.py +++ b/src/pkgcheck/checks/codingstyle.py @@ -1539,3 +1539,36 @@ class DeclarationShadowedCheck(Check): if len(nodes) > 1: lines = sorted(node.start_point[0] + 1 for node in nodes) yield DuplicateFunctionDefinition(func_name, lines=lines, pkg=pkg) + + +class InvalidSandboxCall(results.LineResult, results.Error): + """Invalid call to a sandbox function. + + According to PMS and the Devmanual [#]_, only a single item is allowed as + argument for ``addread``, ``addwrite``, ``adddeny``, and ``addpredict``. + Multiple path items should not be passed as a colon-separated list. + + .. [#] https://devmanual.gentoo.org/function-reference/sandbox-functions/ + """ + + @property + def desc(self): + return f"line {self.lineno}: invalid call to sandbox function: {self.line}" + + +class SandboxCallCheck(Check): + """Scan ebuilds for correct sandbox funcitons usage.""" + + _source = sources.EbuildParseRepoSource + known_results = frozenset({InvalidSandboxCall}) + + functions = frozenset({"addread", "addwrite", "adddeny", "addpredict"}) + + def feed(self, pkg: bash.ParseTree): + for node, _ in bash.cmd_query.captures(pkg.tree.root_node): + name = pkg.node_str(node.child_by_field_name("name")) + if name in self.functions: + args = node.children_by_field_name("argument") + if len(args) != 1 or ":" in pkg.node_str(args[0]): + lineno, _ = node.start_point + yield InvalidSandboxCall(line=pkg.node_str(node), lineno=lineno + 1, pkg=pkg) |