generated from pool/new_package
190 lines
6.8 KiB
Bash
190 lines
6.8 KiB
Bash
#!/bin/bash
|
|
# shellcheck disable=2181
|
|
|
|
set -euo pipefail
|
|
|
|
BASHLS_URL="$(rpmspec -P ./*.spec | grep Source0 | sed -e 's/Source0:[ ]*//g')"
|
|
BASHLS_TARBALL="$(basename "${BASHLS_URL}")"
|
|
BASHLS_PKGVERSION="$(rpmspec -P ./*.spec | grep ^Version | sed -e 's/Version:[ ]*//g')"
|
|
BASHLS_PKGNAME="bash-language-server"
|
|
BASHLS_PKGDIR="$(pwd)"
|
|
BASHLS_TMPDIR="$(mktemp --tmpdir -d bashls-XXXXXXXX)"
|
|
BASHLS_PATH="${BASHLS_TMPDIR}/${BASHLS_PKGNAME}-server-${BASHLS_PKGVERSION}"
|
|
PUSHED=0
|
|
|
|
echo "URL: ${BASHLS_URL}"
|
|
echo "TARBALL: ${BASHLS_TARBALL}"
|
|
echo "NAME: ${BASHLS_PKGNAME}"
|
|
echo "VERSION: ${BASHLS_PKGVERSION}"
|
|
echo "PATH: ${BASHLS_PATH}"
|
|
|
|
cleanup() {
|
|
if [ "${PUSHED}" -eq 1 ]; then
|
|
popd 2>/dev/null || true
|
|
fi
|
|
if [ -n "${BASHLS_TMPDIR}" ] && [ -d "${BASHLS_TMPDIR}" ]; then
|
|
echo "Cleaning up temporary directory..."
|
|
rm -rf "${BASHLS_TMPDIR}"
|
|
fi
|
|
}
|
|
trap cleanup SIGINT EXIT
|
|
|
|
cleanup_and_exit() {
|
|
cleanup
|
|
if [ "${1:-0}" -eq 0 ]; then
|
|
exit 0
|
|
else
|
|
exit "${1}"
|
|
fi
|
|
}
|
|
|
|
if [ ! -w "${BASHLS_TARBALL}" ]; then
|
|
echo ">>>>>> Downloading source tarball"
|
|
if ! wget "$BASHLS_URL"; then
|
|
echo "ERROR: Failed to download source tarball"
|
|
cleanup_and_exit 1
|
|
fi
|
|
fi
|
|
|
|
echo ">>>>>> Extracting source tarball"
|
|
if ! tar -xf "${BASHLS_TARBALL}" -C "${BASHLS_TMPDIR}"; then
|
|
echo "ERROR: Failed to extract tarball"
|
|
cleanup_and_exit 1
|
|
fi
|
|
|
|
if ! pushd "${BASHLS_PATH}"; then
|
|
echo "ERROR: Failed to change to directory ${BASHLS_PATH}"
|
|
cleanup_and_exit 1
|
|
fi
|
|
PUSHED=1
|
|
|
|
PNPM_STORE_DIR="$(pwd)/.pnpm-store"
|
|
|
|
echo ">>>>>> Fetching node modules"
|
|
if ! pnpm fetch --frozen-lockfile --store-dir "${PNPM_STORE_DIR}"; then
|
|
echo "ERROR: pnpm fetch failed"
|
|
cleanup_and_exit 1
|
|
fi
|
|
|
|
echo ">>>>>> Installing node modules"
|
|
# We don't want to run postinstall script for vscode
|
|
if ! pnpm install --frozen-lockfile --offline --ignore-scripts --store-dir "${PNPM_STORE_DIR}"; then
|
|
echo "ERROR: pnpm install failed"
|
|
cleanup_and_exit 1
|
|
fi
|
|
|
|
echo ">>>>>> Running security audit"
|
|
AUDIT_FAILED=0
|
|
if ! pnpm audit --audit-level=high; then
|
|
AUDIT_FAILED=1
|
|
fi
|
|
|
|
if [ ${AUDIT_FAILED} -eq 1 ]; then
|
|
echo ""
|
|
echo "WARNING: Security vulnerabilities found (high or critical severity)"
|
|
echo "Run 'pnpm audit' manually in ${BASHLS_PATH} for details"
|
|
echo ""
|
|
read -p "Continue despite vulnerabilities? (yes/no): " -r
|
|
if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
|
|
echo "Aborting due to security vulnerabilities"
|
|
cleanup_and_exit 1
|
|
fi
|
|
fi
|
|
|
|
echo ">>>>>> Running security checks for malicious patterns"
|
|
SECURITY_ISSUES=0
|
|
|
|
# Check for Shai-Hulud worm patterns
|
|
# - Self-replicating code that modifies package.json
|
|
# - Suspicious preinstall/postinstall hooks
|
|
# - Hidden Unicode characters
|
|
# - Obfuscated code patterns
|
|
echo " - Checking for suspicious install hooks..."
|
|
if grep -r "preinstall\|postinstall\|preuninstall" "${PNPM_STORE_DIR}" --include="package.json" | grep -i "curl\|wget\|eval\|exec\|child_process" > /dev/null 2>&1; then
|
|
echo " WARNING: Found suspicious install hooks with network/exec calls"
|
|
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
|
|
fi
|
|
|
|
echo " - Checking for obfuscated code..."
|
|
if find "${PNPM_STORE_DIR}" -type f \( -name "*.js" -o -name "*.mjs" -o -name "*.cjs" \) -exec grep -l "eval(\|Function(\|atob(\|\\x[0-9a-f][0-9a-f]" {} \; | head -5 | grep -q .; then
|
|
echo " WARNING: Found potentially obfuscated code (eval, Function constructor, hex encoding)"
|
|
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
|
|
fi
|
|
|
|
echo " - Checking for suspicious network activity..."
|
|
if grep -r "http://\|https://" "${PNPM_STORE_DIR}" --include="*.js" --include="*.mjs" --include="*.cjs" | grep -v "node_modules\|\.git\|test\|spec\|example" | grep -i "pastebin\|discord\.com/api/webhooks\|raw\.githubusercontent" > /dev/null 2>&1; then
|
|
echo " WARNING: Found suspicious external URLs (pastebin, discord webhooks, raw github)"
|
|
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
|
|
fi
|
|
|
|
echo " - Checking for filesystem tampering..."
|
|
if grep -r "writeFileSync\|appendFileSync" "${PNPM_STORE_DIR}" --include="*.js" --include="*.mjs" --include="*.cjs" | grep -i "package\.json\|\.npmrc\|\.bashrc\|\.zshrc\|\.profile" > /dev/null 2>&1; then
|
|
echo " WARNING: Found code that modifies sensitive files"
|
|
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
|
|
fi
|
|
|
|
echo " - Checking for credential harvesting..."
|
|
if grep -r "password\|token\|secret\|api[_-]key\|npm_token" "${PNPM_STORE_DIR}" --include="*.js" --include="*.mjs" --include="*.cjs" | grep -i "process\.env\|fs\.read" | grep -v "test\|spec\|example\|\.d\.ts" > /dev/null 2>&1; then
|
|
echo " WARNING: Found code accessing credentials from environment"
|
|
SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
|
|
fi
|
|
|
|
if [ ${SECURITY_ISSUES} -gt 0 ]; then
|
|
echo ""
|
|
echo "!!! SECURITY WARNING: Found ${SECURITY_ISSUES} potential security issue(s) !!!"
|
|
echo "!!! Please review the warnings above carefully before proceeding !!!"
|
|
echo ""
|
|
read -p "Continue anyway? (yes/no): " -r
|
|
if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
|
|
echo "Aborting due to security concerns"
|
|
cleanup_and_exit 1
|
|
fi
|
|
else
|
|
echo " ✓ No obvious malicious patterns detected"
|
|
fi
|
|
|
|
echo ">>>>>> Cleanup object dirs"
|
|
find "${PNPM_STORE_DIR}/" -type d -name "__pycache__" -print0 | xargs -0 rm -rf || true
|
|
find "${PNPM_STORE_DIR}/" -type d -name "*.o.d" -print0 | xargs -0 rm -rf || true
|
|
|
|
|
|
echo ">>>>>> Cleanup object files"
|
|
find "${PNPM_STORE_DIR}/" -name "*.node" -print0 | xargs -0 rm -rf || true
|
|
|
|
find "${PNPM_STORE_DIR}/" -name "*.dll" | grep -v signal-client | xargs rm -f || true
|
|
find "${PNPM_STORE_DIR}/" -name "*.dylib" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "*.so" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "*.o" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "*.a" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "*.snyk-*.flag" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "builderror.log" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name ".deps" -type d -print0 | xargs -0 rm -rf || true
|
|
|
|
|
|
echo ">>>>>> Cleanup build info"
|
|
find "${PNPM_STORE_DIR}/" -name "Makefile" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "*.target.mk" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "config.gypi" -delete || true
|
|
find "${PNPM_STORE_DIR}/" -name "package.json" -exec sed -i "s#${BASHLS_PATH}#/tmp#g" {} \; || true
|
|
|
|
|
|
echo ">>>>>> Packaging vendor files"
|
|
rm -f "${BASHLS_PKGDIR}/${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst"
|
|
if ! ZSTD_NBTHREADS=$(nproc) tar --zstd -cf "${BASHLS_PKGDIR}/${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst" .pnpm-store; then
|
|
echo "ERROR: Failed to create tarball"
|
|
cleanup_and_exit 1
|
|
fi
|
|
|
|
echo ">>>>>> Successfully created ${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst"
|
|
|
|
popd
|
|
PUSHED=0
|
|
|
|
echo ""
|
|
echo ">>>>>> Next step: Add sources with the following command:"
|
|
echo ""
|
|
echo "osc add ${BASHLS_TARBALL} ${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst"
|
|
echo ""
|
|
|
|
cleanup_and_exit 0
|