Fix security issues of the argument parser #1133
Conversation
| @@ -88,27 +90,12 @@ class version_checker | |||
| #endif | |||
| std::smatch versionMatch; | |||
|
|
|||
| // Ensure version string is not corrupt | |||
| if (!version_.empty() && /*regex allows version prefix instead of exact match */ | |||
| std::regex_search(version_, versionMatch, std::regex("^([[:digit:]]+\\.[[:digit:]]+\\.[[:digit:]]+).*"))) | |||
| { | |||
| version = versionMatch.str(1); // in case the git revision number is given take only version number | |||
There was a problem hiding this comment.
So version = "MALICIOUS CODE"; stays the same, because it does not match the regex and will therefore not be changed?
There was a problem hiding this comment.
(note the underscore difference)
if version_ == "some malicious code not matching the regex" then the member version will never be set inside the if clause and remains the default "0.0.0".
Is the "zusammenploebbeln" of the command more clear now with the changes?
There was a problem hiding this comment.
AH okay, I didn't catch the underscore.
Is the "zusammenploebbeln" of the command more clear now with the changes?
👍
|
Hmm jenkins and travis are failing.
|
| { | ||
| const char * argv[] = {"./argument_parser_test"}; | ||
|
|
||
| EXPECT_NO_THROW((argument_parser parser{"test_parser", 1, argv})); |
There was a problem hiding this comment.
I think you should do this:
| EXPECT_NO_THROW((argument_parser parser{"test_parser", 1, argv})); | |
| EXPECT_NO_THROW((argument_parser{"test_parser", 1, argv})); |
There was a problem hiding this comment.
Or
| EXPECT_NO_THROW((argument_parser parser{"test_parser", 1, argv})); | |
| EXPECT_NO_THROW(([]() | |
| { | |
| argument_parser parser{"test_parser", 1, argv}; | |
| }())); |
smehringer
force-pushed
the
argument_parser_version_check
branch
2 times, most recently
from
21d200b to
7fd7ac1
Compare
Codecov Report
@@ Coverage Diff @@
## master #1133 +/- ##
==========================================
+ Coverage 96.42% 96.43% +<.01%
==========================================
Files 196 196
Lines 7757 7761 +4
==========================================
+ Hits 7480 7484 +4
Misses 277 277
Continue to review full report at Codecov.
|
smehringer
force-pushed
the
argument_parser_version_check
branch
from
7fd7ac1 to
f0c9154
Compare
| @@ -166,6 +167,10 @@ class argument_parser | |||
| * \param[in] argv The command line arguments to parse. | |||
| * \param[in] version_check Notify users about app version updates (default true). | |||
| * | |||
| * \throws seqan3::parser_design_error if the application name contains illegal characters. | |||
| * | |||
| * The application name must only contain alpha-numeric characters or '_' and '-' (regex: \"^[a-zA-Z0-9_-]+$\"). | |||
There was a problem hiding this comment.
| * The application name must only contain alpha-numeric characters or '_' and '-' (regex: \"^[a-zA-Z0-9_-]+$\"). | |
| * The application name must only contain alpha-numeric characters, '_' or '-', i.e. the following regex must evaluate to true: `\"^[a-zA-Z0-9_-]+$\"`. |
smehringer
force-pushed
the
argument_parser_version_check
branch
2 times, most recently
from
ac0915a to
3c37f5a
Compare
…he first variable in PATH.
…ty leaks of the version call.
smehringer
force-pushed
the
argument_parser_version_check
branch
from
3c37f5a to
ebfee17
Compare
Addresses several things of #1101
Best reviewd commit by commit.