train-core 3.14.1 → 3.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/train/transports/local.rb +34 -2
  3. data/lib/train/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 66333c4f0d4ee9976b1a803fa36db769f2763586a2d04628a091a125572e1345
4
- data.tar.gz: fcabe9e05c7112a958eb4d80ea9f578434eaba6ea116bab402f0c5d46c95c2f0
3
+ metadata.gz: 1d838f638d6bbc471fdd186099014d342ec80ea3d208885d709351ed1564d96d
4
+ data.tar.gz: 4a3c73b0faed531af7e55578a94e76754a6ce408a1a6aac706bc2a05eff7b5f1
5
5
  SHA512:
6
- metadata.gz: 7335b3594bc9649282d1ca2e3c2ee0e6ee5094053c7130a554f6e2fed36dfd65440d9eaa727b60a6bf78a8cbf0afe65bf1275589614826fee73c6d7fb15c8406
7
- data.tar.gz: 5ebe748390217d2f1d144af77050d1d6d86ffaca03055dabbd0254e40d8a3282d239636e546fabcd3e02d5798628038e1400a3da1e6398fd81188be41956bdf5
6
+ metadata.gz: 5e379c906184e37a441b6c9736b95b6fd6fa724bccba8f626b964b4342305f201b4fce792bb81e4c275b8b49036aa2cad97c0682880529029354530e6d06d121
7
+ data.tar.gz: 72a4cfe2de2a43d359fb63c23f48264b8b316b5513693150ac256d10a867514722b5445619571b845256aeac157feaf06ea54f36288e5f192421cf6a4cf4b487
data/lib/train/transports/local.rb CHANGED
@@ -230,6 +230,12 @@ module Train::Transports
230
230
 
231
231
  pipe = nil
232
232
 
233
+ # Verify ownership before connecting
234
+ owner, current_user, is_owner = pipe_owned_by_current_user?(pipe_name)
235
+ unless is_owner
236
+ raise PipeError, "Unauthorized user '#{current_user}' tried to connect to pipe '#{pipe_name}'. Pipe is owned by '#{owner}'."
237
+ end
238
+
233
239
  # PowerShell needs time to create pipe.
234
240
  100.times do
235
241
  pipe = open("//./pipe/#{pipe_name}", "r+")
@@ -246,8 +252,11 @@ module Train::Transports
246
252
 
247
253
  script = <<-EOF
248
254
  $ErrorActionPreference = 'Stop'
249
-
250
- $pipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('#{pipe_name}')
255
+ $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
256
+ $pipeSecurity = New-Object System.IO.Pipes.PipeSecurity
257
+ $rule = New-Object System.IO.Pipes.PipeAccessRule($user, "FullControl", "Allow")
258
+ $pipeSecurity.AddAccessRule($rule)
259
+ $pipeServer = New-Object System.IO.Pipes.NamedPipeServerStream('#{pipe_name}', [System.IO.Pipes.PipeDirection]::InOut, 1, [System.IO.Pipes.PipeTransmissionMode]::Byte, [System.IO.Pipes.PipeOptions]::None, 4096, 4096, $pipeSecurity)
251
260
  $pipeReader = New-Object System.IO.StreamReader($pipeServer)
252
261
  $pipeWriter = New-Object System.IO.StreamWriter($pipeServer)
253
262
 
@@ -288,6 +297,29 @@ module Train::Transports
288
297
  cmd = "#{@powershell_cmd} -NoProfile -ExecutionPolicy bypass -NonInteractive -EncodedCommand #{base64_script}"
289
298
  Process.create(command_line: cmd).process_id
290
299
  end
300
+
301
+ def current_windows_user
302
+ user = `powershell -Command "[System.Security.Principal.WindowsIdentity]::GetCurrent().Name"`.strip
303
+ if user.nil? || user.empty?
304
+ user = `whoami`.strip
305
+ end
306
+ if user.nil? || user.empty?
307
+ raise "Unable to determine current Windows user"
308
+ end
309
+
310
+ user
311
+ end
312
+
313
+ # Verify pipe ownership before connecting
314
+ def pipe_owned_by_current_user?(pipe_name)
315
+ exists = `powershell -Command "Test-Path \\\\.\\pipe\\#{pipe_name}"`.strip.downcase == "true"
316
+ current_user = current_windows_user
317
+ return [nil, current_user, false] unless exists
318
+
319
+ owner = `powershell -Command "(Get-Acl \\\\.\\pipe\\#{pipe_name}).Owner" 2>&1`.strip
320
+ is_owner = !owner.nil? && !current_user.nil? && owner.casecmp(current_user) == 0
321
+ [owner, current_user, is_owner]
322
+ end
291
323
  end
292
324
  end
293
325
  end
data/lib/train/version.rb CHANGED
@@ -2,5 +2,5 @@
2
2
  # Author:: Dominik Richter (<dominik.richter@gmail.com>)
3
3
 
4
4
  module Train
5
- VERSION = "3.14.1".freeze
5
+ VERSION = "3.15.0".freeze
6
6
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: train-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.14.1
4
+ version: 3.15.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chef InSpec Team
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2025-12-15 00:00:00.000000000 Z
11
+ date: 2025-12-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: addressable