From 1f3daeab41826028e8f78afd64a32aab986b406b Mon Sep 17 00:00:00 2001
From: Martin Roth <martinroth@google.com>
Date: Wed, 30 Aug 2017 13:53:58 -0600
Subject: util/lint/checkpatch: Untaint variables from env & command line
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Jenkins is giving warnings due tainted variables from the environment
and command line:
Insecure $ENV{PATH} while running setgid at util/lint/checkpatch.pl line
907, <$conststructs> line 39.

Insecure dependency in piped open while running setgid at
util/lint/checkpatch.pl line 907, <$conststructs> line 39.

This should fix those warnings.

Change-Id: I6a09915d13547bf9a86c011d44cbcd39c46f3fec
Signed-off-by: Martin Roth <martinroth@google.com>
Reviewed-on: https://review.coreboot.org/21293
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 util/lint/checkpatch.pl | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'util/lint/checkpatch.pl')

diff --git a/util/lint/checkpatch.pl b/util/lint/checkpatch.pl
index 75f6f981de..adcb0fa93a 100755
--- a/util/lint/checkpatch.pl
+++ b/util/lint/checkpatch.pl
@@ -59,6 +59,13 @@ my $conststructsfile = "$D/const_structs.checkpatch";
 my $color = 1;
 my $allow_c99_comments = 1;
 
+# For coreboot jenkins
+# If taint mode is enabled, Untaint the path - files must be in /bin, /usr/bin or /usr/local/bin
+if ( ${^TAINT} ) {
+    $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin';
+    delete @ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };
+}
+
 sub help {
 	my ($exitcode) = @_;
 
@@ -898,8 +905,9 @@ if ($git) {
 }
 
 my $vname;
-for my $filename (@ARGV) {
+for my $f (@ARGV) {
 	my $FILE;
+	my ($filename) = ($f =~ /^(.*)$/);
 	if ($git) {
 		open($FILE, '-|', "git format-patch -M --stdout -1 $filename") ||
 			die "$P: $filename: git format-patch failed - $!\n";
-- 
cgit v1.2.3