train-core 3.15.2 → 3.16.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 93eb56f75bd0bb4445766f711e0c6a4bc9c9b4b7dcdbce27065cdbe1d77f173a
-  data.tar.gz: 48da5db98b20cc50e46a76f7c293fc3d7c659073081a3ac5d3e5b1e0bad6aa8b
+  metadata.gz: 8c128201cccb279232b166336df2264fa69d23d4244678a25c46ec1ecf72a47b
+  data.tar.gz: bed78ce368487e2e220d5b5361f49f20ed2d4483f2033b4800dff57cd07a0e4a
 SHA512:
-  metadata.gz: 15d5e62ef1c5e23f91a49f23a358f27d1b7e3297614419d5b15dedc9b25ec9848881b1c955693d75c2b5eece7783829c376210dc52d69ba92754cb1ba134f07a
-  data.tar.gz: da106c56945fa66b0bf01917276bf9bc5b694787c7e4b1a1cfdb8ff6c9e73a6f737c0a98e7df0f5d1f656c936e9dc388ec19db967733ecd197cb47e0fa012c83
+  metadata.gz: 1ca1fc41aabfd604cf2e7cd9d8ac7cf64f733d29a96b8a7b8c48e608b7f88a30627009a51a7f6fc47c99f012db153fbdee8736e94f35ad8954fdb74b0b92f2f9
+  data.tar.gz: 15fb4bef30b0391a70c6fce30e41b836101e6d9181bc93ab30838023b5cb86a4c00e18bfe7b8bb715f916b1702eed79d86135440ac629332e74f69b5abd7b79d

data/lib/train/transports/local.rb

@@ -229,11 +229,28 @@ module Train::Transports
           at_exit { close rescue Errno::EIO }
 
           pipe = nil
+          ownership_verified = false
 
           # PowerShell needs time to create pipe.
           100.times do
+            unless ownership_verified
+              owner, current_user, is_owner = pipe_owned_by_current_user?(pipe_name)
+              if owner.nil?
+                sleep 0.1
+                next
+              end
+
+              unless is_owner
+                raise PipeError, "Unauthorized user '#{current_user}' tried to connect to pipe '#{pipe_name}'. Pipe is owned by '#{owner}'."
+              end
+
+              ownership_verified = true
+            end
+
             pipe = open("//./pipe/#{pipe_name}", "r+")
             break
+          rescue PipeError
+            raise
           rescue
             sleep 0.1
           end
@@ -246,17 +263,30 @@ module Train::Transports
 
           script = <<-EOF
             $ErrorActionPreference = 'Stop'
+            $ProgressPreference = 'SilentlyContinue'
+            $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+            $pipeSecurity = New-Object System.IO.Pipes.PipeSecurity
+            $rule = New-Object System.IO.Pipes.PipeAccessRule($user, "FullControl", "Allow")
+            $pipeSecurity.AddAccessRule($rule)
+            $pipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('#{pipe_name}', [System.IO.Pipes.PipeDirection]::InOut, 1, [System.IO.Pipes.PipeTransmissionMode]::Byte, [System.IO.Pipes.PipeOptions]::None, 4096, 4096, $pipeSecurity)
+
+            try {
+              $pipeServer.WaitForConnection()
+            } catch {
+              exit 1
+            }
 
-            $pipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('#{pipe_name}')
             $pipeReader = New-Object System.IO.StreamReader($pipeServer)
             $pipeWriter = New-Object System.IO.StreamWriter($pipeServer)
 
-            $pipeServer.WaitForConnection()
-
             # Create loop to receive and process user commands/scripts
             $clientConnected = $true
             while($clientConnected) {
               $input = $pipeReader.ReadLine()
+              if ($input -eq $null) {
+                $clientConnected = $false
+                break
+              }
               $command = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($input))
 
               # Execute user command/script and convert result to JSON
@@ -278,8 +308,14 @@ module Train::Transports
 
               # Encode JSON in Base64 and write to pipe
               $encodedResult = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($resultJSON))
-              $pipeWriter.WriteLine($encodedResult)
-              $pipeWriter.Flush()
+              try {
+                $pipeWriter.WriteLine($encodedResult)
+                $pipeWriter.Flush()
+              } catch [System.IO.IOException] {
+                # Pipe was closed by client, exit gracefully
+                $clientConnected = $false
+                break
+              }
             }
           EOF
 
@@ -288,6 +324,29 @@ module Train::Transports
           cmd = "#{@powershell_cmd} -NoProfile -ExecutionPolicy bypass -NonInteractive -EncodedCommand #{base64_script}"
           Process.create(command_line: cmd).process_id
         end
+
+        def current_windows_user
+          user = `powershell -Command "[System.Security.Principal.WindowsIdentity]::GetCurrent().Name"`.strip
+          if user.nil? || user.empty?
+            user = `whoami`.strip
+          end
+          if user.nil? || user.empty?
+            raise "Unable to determine current Windows user"
+          end
+
+          user
+        end
+
+        # Verify pipe ownership before connecting
+        def pipe_owned_by_current_user?(pipe_name)
+          exists = `powershell -Command "Test-Path \\\\.\\pipe\\#{pipe_name}"`.strip.downcase == "true"
+          current_user = current_windows_user
+          return [nil, current_user, false] unless exists
+
+          owner = `powershell -Command "(Get-Acl \\\\.\\pipe\\#{pipe_name}).Owner" 2>&1`.strip
+          is_owner = !owner.nil? && !current_user.nil? && owner.casecmp(current_user) == 0
+          [owner, current_user, is_owner]
+        end
       end
     end
   end

data/lib/train/version.rb

@@ -2,5 +2,5 @@
 # Author:: Dominik Richter (<dominik.richter@gmail.com>)
 
 module Train
-  VERSION = "3.15.2".freeze
+  VERSION = "3.16.1".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: train-core
 version: !ruby/object:Gem::Version
-  version: 3.15.2
+  version: 3.16.1
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-01-09 00:00:00.000000000 Z
+date: 2026-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable