Harden the scripts against symlinks

41c58a4c · Andrew Newdigate · 3b2e3e0b · 41c58a4c · 41c58a4c · 41c58a4c
Commit 41c58a4c authored Aug 03, 2018 by Andrew Newdigate
6 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -18,3 +18,4 @@ references:
    - apk add --no-cache bash
  script:
    - bash -x ./bin/check-script-references
+    - ./bin/sanity-check-scripts
--- a/bin/sanity-check-scripts
+++ b/bin/sanity-check-scripts
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+ROOT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+function find_scripts() {
+  find "${ROOT_DIR}/scripts" -type f -name "*.sh"
+}
+
+find_scripts | while IFS='' read -r file; do
+  # Ensures all the ../.. references are correct....
+
+  if [[ -x ${file} ]]; then
+    echo "${file}"
+    SANITY_CHECK_ONLY=1 "${file}"
+  fi
+done
--- a/bin/scripts/02_failover/030_t-1d/010_gitlab_twitter_announcement.sh
+++ b/bin/scripts/02_failover/030_t-1d/010_gitlab_twitter_announcement.sh
@@ -4,11 +4,13 @@ set -euo pipefail
 IFS=$'\n\t'

 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+UNSYMLINKED_SCRIPT_DIR="$(greadlink -f "${SCRIPT_DIR}" || readlink "${SCRIPT_DIR}" || echo "${SCRIPT_DIR}")"
 # shellcheck disable=SC1091,SC1090
-source "${SCRIPT_DIR}/../../../workflow-script-commons.sh"
+source "${UNSYMLINKED_SCRIPT_DIR}/../../../workflow-script-commons.sh"

 # --------------------------------------------------------------

+
 PRODUCTION_ONLY

 cat <<EOD

--- a/bin/scripts/02_failover/030_t-1d/020_gitlabstatus_twitter_announcement.sh
+++ b/bin/scripts/02_failover/030_t-1d/020_gitlabstatus_twitter_announcement.sh
@@ -4,8 +4,9 @@ set -euo pipefail
 IFS=$'\n\t'

 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+UNSYMLINKED_SCRIPT_DIR="$(greadlink -f "${SCRIPT_DIR}" || readlink "${SCRIPT_DIR}" || echo "${SCRIPT_DIR}")"
 # shellcheck disable=SC1091,SC1090
-source "${SCRIPT_DIR}/../../../workflow-script-commons.sh"
+source "${UNSYMLINKED_SCRIPT_DIR}/../../../workflow-script-commons.sh"

 # --------------------------------------------------------------


--- a/bin/scripts/02_failover/050_t-1h/020_slack_announcement.sh
+++ b/bin/scripts/02_failover/050_t-1h/020_slack_announcement.sh
@@ -4,8 +4,9 @@ set -euo pipefail
 IFS=$'\n\t'

 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+UNSYMLINKED_SCRIPT_DIR="$(greadlink -f "${SCRIPT_DIR}" || readlink "${SCRIPT_DIR}" || echo "${SCRIPT_DIR}")"
 # shellcheck disable=SC1091,SC1090
-source "${SCRIPT_DIR}/../../../workflow-script-commons.sh"
+source "${UNSYMLINKED_SCRIPT_DIR}/../../../workflow-script-commons.sh"

 # --------------------------------------------------------------


--- a/bin/workflow-script-commons.sh
+++ b/bin/workflow-script-commons.sh
 #!/usr/bin/env bash

+# Used for sanity checking the scripts
+if [[ -n ${SANITY_CHECK_ONLY:=} ]]; then
+  exit 0
+fi
+
 # Everything is logged!
 if [[ -z ${LOGGING_CONFIGURED:=} ]]; then
  export LOGGING_CONFIGURED=1
@@ -87,7 +92,7 @@ function header() {
 ========================================================
 Script: $full_path
 User: ${SUDO_USER:=$USER}
-Rev: $(git rev-parse --short HEAD)
+Rev: $(git -C "$(dirname "${BASH_SOURCE[0]}" )/.." rev-parse --short HEAD)
 ========================================================

 EOD