epm repack: fix CVE: validate YAML output before eval and do safe parsing

3e068d9b · Vitaly Lipatov · 62b75f04 · 3e068d9b · 3e068d9b · 3e068d9b
Commit 3e068d9b authored Jan 08, 2026 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 4 deletions

common.sh pack.d/common.sh +14 -1

generic-snap.sh pack.d/generic-snap.sh +1 -1

common.sh repack.d/common.sh +15 -0

generic.sh repack.d/generic.sh +6 -2

No files found.
--- a/pack.d/common.sh
+++ b/pack.d/common.sh
@@ -6,7 +6,20 @@ fatal()
    exit 1
 }
+# Load YAML fields into shell variables safely (prevents command injection)
+# Usage: yaml_load_vars file.yaml field1 field2 field3 ...
+yaml_load_vars()
+{
+    local file="$1"
+    shift
+    local data field value
+    data="$(epm tool yaml "$file" 2>/dev/null)"
+    for field in "$@" ; do
+        value="$(printf '%s\n' "$data" | grep "^${field}=" | head -n1 | sed "s/^[^=]*=\"\(.*\)\"$/\1/")"
+        # Use single quotes to prevent command execution in values
+        eval "$field='$(printf '%s' "$value" | sed "s/'/'\\\\''/g")'"
+    done
+}
 # compatibility layer

--- a/pack.d/generic-snap.sh
+++ b/pack.d/generic-snap.sh
@@ -21,7 +21,7 @@ a= unsquashfs $TAR || fatal
 # version: 1.69.1
 # summary: Plex for Linux
 # description:
-eval $(epm tool yaml squashfs-root/meta/snap.yaml | grep -E "^(name|version|summary|description)=") #"
+yaml_load_vars squashfs-root/meta/snap.yaml name version summary description
 [ -n "$name" ] || fatal "Can't get name from snap.yaml"
 [ -n "$version" ] || fatal "Can't get version from snap.yaml"

--- a/repack.d/common.sh
+++ b/repack.d/common.sh
@@ -20,6 +20,21 @@ warning()
    echo "WARNING: $*" >&2
 }
+# Load YAML fields into shell variables safely (prevents command injection)
+# Usage: yaml_load_vars file.yaml field1 field2 field3 ...
+yaml_load_vars()
+{
+    local file="$1"
+    shift
+    local data field value
+    data="$(epm tool yaml "$file" 2>/dev/null)"
+    for field in "$@" ; do
+        value="$(printf '%s\n' "$data" | grep "^${field}=" | head -n1 | sed "s/^[^=]*=\"\(.*\)\"$/\1/")"
+        # Use single quotes to prevent command execution in values
+        eval "$field='$(printf '%s' "$value" | sed "s/'/'\\\\''/g")'"
+    done
+}
 # compatibility layer
 # check if <arg> is a real command

--- a/repack.d/generic.sh
+++ b/repack.d/generic.sh
@@ -12,6 +12,11 @@ SUBGENERIC="$5"
 # firstly, pack $PRODUCTDIR if used
 . $(dirname $0)/common.sh
+# Security: reject packages containing .eepm.yaml (could be used for command injection)
+if find "$BUILDROOT" -name "*.eepm.yaml" 2>/dev/null | grep -q . ; then
+    fatal "Package contains .eepm.yaml file which is not allowed (security risk)"
+fi
 # commented out: conflicts with already installed package
 # drop %dir for existed system dirs
 #for i in $(grep '^%dir "' $spec | sed -e 's|^%dir  *"\(.*\)".*|\1|' ) ; do #"
@@ -157,9 +162,8 @@ subst "s|^\(Version: .*\)~.*|\1|" $SPEC
 subst "s|^Release: |Release: epm1.repacked.|" $SPEC
 set_rpm_field "Distribution" "EEPM"
-# TODO: check the yaml file!!!
 if [ -r "$PKG.eepm.yaml" ] ; then
-    eval $(epm tool yaml $PKG.eepm.yaml | grep -E '^(summary|description|upstream_file|upstream_url|url|appname|arch|group|license|version)=' ) #'
+    yaml_load_vars "$PKG.eepm.yaml" name summary description upstream_file upstream_url url appname arch group license version
    # for tarballs fix permissions
    chmod $verbose -R a+rX *
    [ -n "$name" ] && [ "$name" != "$PRODUCT" ] && warning "name $name in $PKG.eepm.yaml is not equal to PRODUCT $PRODUCT"