Fix #1708 - Don't modify linters or register fixers in the sandbox

2018-07-17 21:39:50 +01:00 · 2018-07-17 21:39:50 +01:00 · 5453e0e1a4
parent 7952ebe77e
commit 5453e0e1a4
3 changed files with 57 additions and 1 deletions
--- a/autoload/ale/fix/registry.vim
+++ b/autoload/ale/fix/registry.vim
@ -242,6 +242,9 @@ endfunction
 " Add a function for fixing problems to the registry.
 " (name, func, filetypes, desc, aliases)
 function! ale#fix#registry#Add(name, func, filetypes, desc, ...) abort
+    " This command will throw from the sandbox.
+    let &equalprg=&equalprg
+
    if type(a:name) != type('')
        throw '''name'' must be a String'
    endif
--- a/autoload/ale/linter.vim
+++ b/autoload/ale/linter.vim
@ -50,6 +50,9 @@ endfunction
 " This is only for tests.
 " Do not call this function.
 function! ale#linter#GetLintersLoaded() abort
+    " This command will throw from the sandbox.
+    let &equalprg=&equalprg
+
    return s:linters
 endfunction

@ -289,6 +292,9 @@ function! ale#linter#PreProcess(filetype, linter) abort
 endfunction

 function! ale#linter#Define(filetype, linter) abort
+    " This command will throw from the sandbox.
+    let &equalprg=&equalprg
+
    if !has_key(s:linters, a:filetype)
        let s:linters[a:filetype] = []
    endif
@ -304,6 +310,12 @@ function! ale#linter#PreventLoading(filetype) abort
 endfunction

 function! ale#linter#GetAll(filetypes) abort
+    " Don't return linters in the sandbox.
+    " Otherwise a sandboxed script could modify them.
+    if ale#util#InSandbox()
+        return []
+    endif
+
    let l:combined_linters = []

    for l:filetype in a:filetypes
--- a/test/test_sandbox_execution.vader
+++ b/test/test_sandbox_execution.vader
@ -24,10 +24,13 @@ Before:
  let g:ale_buffer_info = {}

 After:
+  unlet! b:in_sandbox
+  unlet! b:result
+
  delfunction TestCallback
  call ale#linter#Reset()
  let g:ale_buffer_info = {}
-  unlet! b:in_sandbox
+

 Given foobar (Some imaginary filetype):
  foo
@ -61,3 +64,41 @@ Execute(ALE shouldn't blow up if file cleanup happens in a sandbox):

  AssertEqual ['/tmp/foo'], g:ale_buffer_info[3].temporary_file_list
  AssertEqual ['/tmp/bar'], g:ale_buffer_info[3].temporary_directory_list
+
+Execute(You shouldn't be able to define linters from the sandbox):
+  call ale#linter#Reset()
+  call ale#linter#PreventLoading('testft')
+
+  AssertThrows sandbox call ale#linter#Define('testft', {
+  \ 'name': 'testlinter',
+  \ 'output_stream': 'stdout',
+  \ 'executable': 'testlinter',
+  \ 'command': 'testlinter',
+  \ 'callback': 'testCB',
+  \})
+  AssertEqual 'Vim(let):E48: Not allowed in sandbox', g:vader_exception
+  AssertEqual [], ale#linter#GetAll(['testft'])
+
+Execute(You shouldn't be able to register fixers from the sandbox):
+  call ale#fix#registry#Clear()
+  AssertThrows sandbox call ale#fix#registry#Add('prettier', '', ['javascript'], 'prettier')
+  AssertEqual 'Vim(let):E48: Not allowed in sandbox', g:vader_exception
+  AssertEqual [], ale#fix#registry#CompleteFixers('', 'ALEFix ', 7)
+
+Execute(You shouldn't be able to get linters from the sandbox, to prevent tampering):
+  AssertThrows sandbox call ale#linter#GetLintersLoaded()
+  AssertEqual 'Vim(let):E48: Not allowed in sandbox', g:vader_exception
+
+  call ale#linter#Reset()
+
+  sandbox let b:result = ale#linter#GetAll(['testft'])
+
+  AssertEqual 0, len(b:result)
+
+  let b:result = ale#linter#GetAll(['testft'])
+
+  AssertEqual 1, len(b:result)
+
+  sandbox let b:result = ale#linter#GetAll(['testft'])
+
+  AssertEqual 0, len(b:result)