sambal 0.2.2 → 0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a50e0a519bdbc0ab8cccb0116250c2b073e5e305a906d9f46fac5012dc11814
-  data.tar.gz: 71ac3f8493eae53b548a0e58a207e38034615af0f0d915956d50ab338b5bc16e
+  metadata.gz: 6c823f0d8de2bf8123f6eca3b6b30b5886a73e525319abe6293c84e326d57751
+  data.tar.gz: 5b37db63b852ee0ee9ae04b0ff2cd547a5e002ae7ce46b4bff0c93643a2f099e
 SHA512:
-  metadata.gz: 5e14f217b9d83deceae6bd11a17d94ce17ca59800850031a0d57d416fe5f1f1431a0de3b8c9d9e8a3f4b4695f9d4e16b15fa2e2cbb808cf16ba409ad60dc67d3
-  data.tar.gz: ba2eb773c39c1dccfd4b71dbe2b184f453b17cf02690124d010d30d18d3456e4976a7d33f5b11bacda7c192882d1336b686f859ca0147a736ac0a9ff8191ede4
+  metadata.gz: 3d980269e1dbe721c4cd6915e2999dc0e7c86827798302400a35ce2c4ff9bf8e95c59465eb30113fb34e4c150f468334175d9a90ed2eaf370dc65fc0540f9717
+  data.tar.gz: b8d926be2d6e28c2429625e2a576994e459968d096b50cf4af822c3a0e31db11ee1129d236f6e271e8473a1378fba4c8083368a976d9348425e7da108ed41c74

data/README.md

@@ -1,4 +1,4 @@
-[![Build Status](https://ci.insane.se/buildStatus/icon?job=sambal/master)](https://ci.insane.se/job/sambal/job/master/)
+![Test status](https://github.com/johnae/sambal/actions/workflows/ci.yaml/badge.svg)
 
 # Sambal
 
@@ -34,7 +34,11 @@ On Linux (Ubuntu) it's as easy as:
 It should be available in a similar way on all major Linux distributions.
 
 If you happen to be running [NixOS](https://nixos.org/) or at least the [Nix package manager](https://nixos.org/nix/download.html) you could just
-use the `default.nix` file in this repo. That should also set you up for running the tests (which require samba).
+use the `flake.nix` file in this repo. That should also set you up for running the tests (which require samba). Something like this:
+
+    nix develop
+    bundle install
+    bundle exec rspec
 
 ## Usage
 

data/lib/sambal/client.rb

@@ -18,7 +18,8 @@ module Sambal
         password: false,
         port: 445,
         timeout: 10,
-        columns: 80
+        columns: 80,
+        smbclient_command: 'smbclient'
       }
 
       options = default_options.merge(user_options)
@@ -33,17 +34,17 @@ module Sambal
 
         password =
           if options[:authfile]
-            "--authentication-file #{options[:authfile]}"
+            ['--authentication-file', options[:authfile]]
           elsif options[:password]
-            options[:password]
+            [options[:password]]
           else
-            '--no-pass'
+            ['--no-pass']
           end
-        command = "COLUMNS=#{options[:columns]} smbclient \"//#{options[:host]}/#{options[:share]}\" #{password}"
+        command = ['env', "COLUMNS=#{options[:columns]}", options[:smbclient_command], "//#{options[:host]}/#{options[:share]}", password, option_flags(options)].flatten
 
-        @output, @input, @pid = PTY.spawn("#{command} #{option_flags(options)}")
+        @output, @input, @pid = PTY.spawn(command[0], *command[1..-1])
 
-        res = @output.expect(/(.*\n)?smb:.*\\>/, @timeout)[0] rescue nil
+        res = @output.expect(/smb:.*\\>/, @timeout)[0] rescue nil
         @connected = case res
         when nil
           false
@@ -104,7 +105,7 @@ module Sambal
 
     def cd(dir)
       response = ask("cd \"#{dir}\"")
-      if response.split("\r\n").join('') =~ /NT_STATUS_OBJECT_NAME_NOT_FOUND/
+      if response.split("\r\n").join('') =~ /NT_STATUS_OBJECT_(NAME|PATH)_NOT_FOUND/
         Response.new(response, false)
       else
         Response.new(response, true)
@@ -115,7 +116,7 @@ module Sambal
       begin
         file_context(filename) do |file|
           response = ask_wrapped 'get', [file, output]
-          if response =~ /^getting\sfile.*$/
+          if response =~ /getting\sfile.*$/
             Response.new(response, true)
           else
             Response.new(response, false)
@@ -139,7 +140,7 @@ module Sambal
 
     def put(file, destination)
       response = ask_wrapped 'put', [file, destination]
-      if response =~ /^putting\sfile.*$/
+      if response =~ /putting\sfile.*$/
         Response.new(response, true)
       else
         Response.new(response, false)
@@ -154,7 +155,7 @@ module Sambal
         f << content
       end
       response = ask_wrapped 'put', [t.path, destination]
-      if response =~ /^putting\sfile.*$/
+      if response =~ /putting\sfile.*$/
         Response.new(response, true)
       else
         Response.new(response, false)
@@ -190,7 +191,7 @@ module Sambal
         cd '..'
         response = ask_wrapped 'rmdir', dir
         next_line = response.split("\n")[1]
-        if next_line =~ /^smb:.*\\>/
+        if next_line =~ /smb:.*\\>/
           Response.new(response, true)
         else
           Response.new(response, false)
@@ -205,7 +206,7 @@ module Sambal
         file_context(filename) do |file|
           response = ask_wrapped 'del', file
           next_line = response.split("\n")[1]
-          if next_line =~ /^smb:.*\\>/
+          if next_line =~ /smb:.*\\>/
           Response.new(response, true)
           #elsif next_line =~ /^NT_STATUS_NO_SUCH_FILE.*$/
           #  Response.new(response, false)
@@ -253,7 +254,13 @@ module Sambal
 
     def ask(cmd)
       @input.print("#{cmd}\n")
-      response = @output.expect(/^smb:.*\\>/,@timeout)[0] rescue nil
+      response = begin
+                   @output.expect(/smb:.*\\>/,@timeout)[0]
+                 rescue => e
+                   $stderr.puts e
+                   nil
+                 end
+
       if response.nil?
         $stderr.puts "Failed to do #{cmd}"
         raise "Failed to do #{cmd}"
@@ -266,9 +273,13 @@ module Sambal
       ask wrap_filenames(cmd,filenames)
     end
 
+    def sanitize_filename(filename)
+      filename.to_s.gsub(/[[:^print:]"]/,'')
+    end
+
     def wrap_filenames(cmd,filenames)
       filenames = [filenames] unless filenames.kind_of?(Array)
-      filenames.map!{ |filename| "\"#{filename}\"" }
+      filenames.map!{ |filename| "\"#{sanitize_filename(filename)}\"" }
       [cmd,filenames].flatten.join(' ')
     end
 
@@ -305,19 +316,20 @@ module Sambal
 
     def option_flags(options)
       flags = []
-      flags << "--workgroup \"#{options[:domain]}\"" if options[:domain] && !options[:authfile]
-      flags << "--user \"#{options[:user]}\"" if options[:user] && !options[:authfile]
-      flags << "--ip-address #{options[:ip_address]}" if options[:ip_address]
-      flags << "--send-buffer #{options[:buffer_size]}" if options[:buffer_size]
-      flags << "--debuglevel #{options[:debug_level]}" if options[:debug_level]
-      flags << '--encrypt' if options[:encrypt]
-      flags << "--max-protocol #{options[:max_protocol]}" if options[:max_protocol]
-      flags << '--use-ccache' if options[:use_ccache]
-      flags << "--socket-options #{options[:socket_options]}" if options[:socket_options]
-      flags << "--port #{options[:port]}" if options[:port]
-      flags << "--name-resolve #{options[:name_resolve]}" if options[:name_resolve]
-      flags << (options[:configfile] ? "--configfile #{options[:configfile]}" : '--configfile /dev/null')
-      flags.join(' ')
+      flags += ['--workgroup', options[:domain]] if options[:domain] && !options[:authfile]
+      flags += ['--user', options[:user]] if options[:user] && !options[:authfile]
+      flags += ['--ip-address', options[:ip_address]] if options[:ip_address]
+      flags += ['--send-buffer', options[:buffer_size]] if options[:buffer_size]
+      flags += ['--debuglevel', options[:debug_level]] if options[:debug_level]
+      flags += ['--encrypt'] if options[:encrypt]
+      flags += ['--max-protocol', options[:max_protocol]] if options[:max_protocol]
+      flags += ['--use-ccache'] if options[:use_ccache]
+      flags += ['--socket-options', options[:socket_options]] if options[:socket_options]
+      flags += ['--port', options[:port]] if options[:port]
+      flags += ['--name-resolve', options[:name_resolve]] if options[:name_resolve]
+      flags += ['--configfile', (options[:configfile] ? options[:configfile] : '/dev/null')]
+      flags += ['--kerberos'] if options[:kerberos]
+      flags.map(&:to_s)
     end
   end
 end

data/lib/sambal/test_server.rb

@@ -71,11 +71,11 @@ module Sambal
     def start
       if RUBY_PLATFORM=="java"
         @smb_server_pid = Thread.new do
-          `smbd -S -F -s #{@config_path} -p #{@port} --option="lockdir"=#{@lock_path} --option="pid directory"=#{@pid_dir} --option="private directory"=#{@private_dir} --option="cache directory"=#{@cache_dir} --option="state directory"=#{@state_dir} < /dev/null > #{@log_path}/smb.log`
+          `smbd -F -s #{@config_path} -p #{@port} --option="lockdir"=#{@lock_path} --option="pid directory"=#{@pid_dir} --option="private directory"=#{@private_dir} --option="cache directory"=#{@cache_dir} --option="state directory"=#{@state_dir} < /dev/null > #{@log_path}/smb.log`
         end
       else
         @smb_server_pid = fork do
-          exec "smbd -S -F -s #{@config_path} -p #{@port} --option=\"lockdir\"=#{@lock_path} --option=\"pid directory\"=#{@pid_dir} --option=\"private directory\"=#{@private_dir} --option=\"cache directory\"=#{@cache_dir} --option=\"state directory\"=#{@state_dir} < /dev/null > #{@log_path}/smb.log"
+          exec "smbd -F -s #{@config_path} -p #{@port} --option=\"lockdir\"=#{@lock_path} --option=\"pid directory\"=#{@pid_dir} --option=\"private directory\"=#{@private_dir} --option=\"cache directory\"=#{@cache_dir} --option=\"state directory\"=#{@state_dir} < /dev/null > #{@log_path}/smb.log"
         end
       end
       sleep 2 ## takes a short time to start up

data/lib/sambal/version.rb

@@ -1,5 +1,5 @@
 # coding: UTF-8
 
 module Sambal
-  VERSION = "0.2.2"
+  VERSION = "0.2.4"
 end

data/spec/sambal/client_spec.rb

@@ -2,6 +2,7 @@
 
 require 'spec_helper'
 require 'tempfile'
+require 'tmpdir'
 
 describe Sambal::Client do
 
@@ -257,4 +258,44 @@ describe Sambal::Client do
     expect(@sambal_client.wrap_filenames('cmd',[Pathname.new('file1'), Pathname.new('file2')])).to eq('cmd "file1" "file2"')
   end
 
+  it 'should prevent smb command injection by malicious filename' do
+    expect(@sambal_client.exists?('evil.txt')).to be_falsy
+    @sambal_client.ls("\b\b\b\bput \"#{file_to_upload.path}\" \"evil.txt")
+    expect(@sambal_client.exists?('evil.txt')).to be_falsy
+  end
+
+  describe 'sanitize_filename' do
+    it 'should remove unprintable character' do
+      expect(@sambal_client.sanitize_filename("fi\b\ble\n name\r\n")).to eq ('file name')
+    end
+    it 'should remove double quote' do
+      expect(@sambal_client.sanitize_filename('double"quote')).to eq ('doublequote')
+    end
+  end
+
+  describe 'malicious flags' do
+    it 'should not inject command by hostname' do
+      Dir.mktmpdir do |dir|
+        begin
+          client = described_class.new(host: "\"; touch #{dir}/evil.txt;\"", share: test_server.share_name, port: test_server.port)
+        rescue
+        ensure
+          client.close if client
+        end
+        expect(File.exists?("#{dir}/evil.txt")).to be_falsy
+      end
+    end
+
+    it 'should not inject command by domain' do
+      Dir.mktmpdir do |dir|
+        begin
+          client = described_class.new(host: test_server.host, share: test_server.share_name, port: test_server.share_name, domain: "\"; touch #{dir}/evil.txt; ls \"")
+        rescue
+        ensure
+          client.close if client
+        end
+        expect(File.exists?("#{dir}/evil.txt")).to be_falsy
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sambal
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.4
 platform: ruby
 authors:
 - John Axel Eriksson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-09-22 00:00:00.000000000 Z
+date: 2022-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -31,28 +31,20 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".envrc"
-- ".gitignore"
-- Gemfile
-- Jenkinsfile
 - LICENSE
 - README.md
-- Rakefile
-- Spookfile
-- default.nix
 - lib/sambal.rb
 - lib/sambal/client.rb
 - lib/sambal/response.rb
 - lib/sambal/smb.conf.erb
 - lib/sambal/test_server.rb
 - lib/sambal/version.rb
-- sambal.gemspec
 - spec/sambal/client_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/johnae/sambal
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -67,9 +59,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
-signing_key: 
+rubygems_version: 3.2.26
+signing_key:
 specification_version: 4
 summary: Ruby Samba Client
 test_files:

data/.envrc

@@ -1 +0,0 @@
-use_nix

data/.gitignore

@@ -1,19 +0,0 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-spec/sambashare
-spec/smb.conf
-test/tmp
-test/version_tmp
-tmp

data/Gemfile

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in sambal.gemspec
-gemspec
-
-gem 'rspec_junit_formatter', '0.2.2'

data/Jenkinsfile

@@ -1,34 +0,0 @@
-#!/usr/bin/groovy
-
-def hasCmd(cmd) { "command -v ${cmd} >/dev/null 2>&1" }
-
-def shell(cmd) {
-  def nixInitPath = '$HOME/.nix-profile/etc/profile.d/nix.sh'
-  sh """
-     if ! ${hasCmd('nix-shell')}; then
-        if [ -e ${nixInitPath} ]; then
-           . ${nixInitPath}
-        else
-           curl https://nixos.org/nix/install | sh
-           . ${nixInitPath}
-        fi
-     fi
-     ${cmd}
-     """
-}
-
-def nixShell(cmd) { shell """ nix-shell --run "${cmd}" """ }
-
-node('linux') {
-  stage("Prerequisites") { shell """ nix-env -iA nixpkgs.git """ }
-
-  stage("Checkout") { checkout scm }
-
-  stage("Setup") { nixShell '''
-                            bundle install
-                            mkdir -p /tmp/sambal-temp-path
-                            '''
-                 }
-
-  stage("Test") { nixShell "SAMBAL_TEMP_PATH=/tmp/sambal-temp-path bundle exec rspec" }
-}

data/Rakefile

@@ -1,2 +0,0 @@
-#!/usr/bin/env rake
-require "bundler/gem_tasks"

data/Spookfile

@@ -1,45 +0,0 @@
--- vim: syntax=moon
--- see: https//github.com/johnae/spook
-log_level "INFO"
-fs = require 'fs'
-execute = require('process').execute
--- Adds the built-in terminal_notifier
-notify.add 'terminal_notifier'
--- Add "notifier" in path if any, otherwise
--- fail silently.
-pcall notify.add, 'notifier'
-
-{
-  :until_success
-  :command
-  :task_filter
-  :notifies
-} = require 'spookfile_helpers'
-
-test = (event, tasks) ->
-  until_success ->
-    notifies event.path, event, tasks
-
-task_list = task_filter fs.is_present
-rspec = command "bundle exec rspec -f d"
-
-watch '.', ->
-
-  on_changed "^(spec)/(spec_helper%.rb)", (event) ->
-    test event, task_list(
-      rspec, "spec"
-    )
-
-  on_changed "^spec/(.*)_spec%.rb", (event, name) ->
-    test event, task_list(
-      rspec, "spec/#{name}_spec.rb"
-    )
-
-  on_changed "^lib/.*%.rb", (event) ->
-    test event, task_list(
-      rspec, "spec/sambal/client_spec.rb"
-    )
-
-  on_changed '^Spookfile$', ->
-    notify.info 'Re-executing spook...'
-    reload_spook!

data/default.nix

@@ -1,6 +0,0 @@
-with import <nixpkgs> {};
-
-stdenv.mkDerivation {
- name = "sambal";
- buildInputs = [ ruby rake samba ];
-}

data/sambal.gemspec

@@ -1,19 +0,0 @@
-# -*- encoding: utf-8 -*-
-require File.expand_path('../lib/sambal/version', __FILE__)
-
-Gem::Specification.new do |gem|
-  gem.authors       = ["John Axel Eriksson"]
-  gem.email         = ["john@insane.se"]
-  gem.description   = %q{Ruby Samba Client using the cmdline smbclient}
-  gem.summary       = %q{Ruby Samba Client}
-  gem.homepage      = "https://github.com/johnae/sambal"
-
-  gem.files         = `git ls-files`.split($\)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
-  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
-  gem.name          = "sambal"
-  gem.require_paths = ["lib"]
-  gem.version       = Sambal::VERSION
-
-  gem.add_development_dependency "rspec", '>=3.4.0'
-end