Dockerfile: Carry oe-git-proxy locally

This imports revision aa9b9dc9a9 from
https://git.yoctoproject.org/git/poky to avoid fetching it - and having
to add the missing content validation to prevent supply-chain attacks.

Reported-by: Raphael Lisicki <raphael.lisicki@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This commit is contained in:
Jan Kiszka 2021-08-28 11:01:59 +02:00
parent 9732ec16f2
commit 6a97879ad0
2 changed files with 188 additions and 2 deletions

View File

@ -26,8 +26,7 @@ RUN apt-get install --no-install-recommends -y \
apt-get clean && \ apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN wget -nv -O /usr/bin/oe-git-proxy "http://git.yoctoproject.org/cgit/cgit.cgi/poky/plain/scripts/oe-git-proxy" && \ COPY contrib/oe-git-proxy /usr/local/bin/
chmod +x /usr/bin/oe-git-proxy
ENV GIT_PROXY_COMMAND="oe-git-proxy" \ ENV GIT_PROXY_COMMAND="oe-git-proxy" \
NO_PROXY="*" NO_PROXY="*"

187
contrib/oe-git-proxy Executable file
View File

@ -0,0 +1,187 @@
#!/bin/bash
# oe-git-proxy is a simple tool to be via GIT_PROXY_COMMAND. It uses socat
# to make SOCKS5 or HTTPS proxy connections.
# It uses ALL_PROXY or all_proxy or http_proxy to determine the proxy server,
# protocol, and port.
# It uses NO_PROXY to skip using the proxy for a comma delimited list of
# hosts, host globs (*.example.com), IPs, or CIDR masks (192.168.1.0/24). It
# is known to work with both bash and dash shells.
#
# Example ALL_PROXY values:
# ALL_PROXY=socks://socks.example.com:1080
# ALL_PROXY=https://proxy.example.com:8080
#
# Copyright (c) 2013, Intel Corporation.
#
# SPDX-License-Identifier: GPL-2.0-only
#
# AUTHORS
# Darren Hart <dvhart@linux.intel.com>
# disable pathname expansion, NO_PROXY fields could start with "*" or be it
set -f
if [ $# -lt 2 -o "$1" = '--help' -o "$1" = '-h' ] ; then
echo 'oe-git-proxy: error: the following arguments are required: host port'
echo 'Usage: oe-git-proxy host port'
echo ''
echo 'OpenEmbedded git-proxy - a simple tool to be used via GIT_PROXY_COMMAND.'
echo 'It uses socat to make SOCKS or HTTPS proxy connections.'
echo 'It uses ALL_PROXY to determine the proxy server, protocol, and port.'
echo 'It uses NO_PROXY to skip using the proxy for a comma delimited list'
echo 'of hosts, host globs (*.example.com), IPs, or CIDR masks (192.168.1.0/24).'
echo 'It is known to work with both bash and dash shells.runs native tools'
echo ''
echo 'arguments:'
echo ' host proxy host to use'
echo ' port proxy port to use'
echo ''
echo 'options:'
echo ' -h, --help show this help message and exit'
echo ''
exit 2
fi
# Locate the netcat binary
if [ -z "$SOCAT" ]; then
SOCAT=$(which socat 2>/dev/null)
if [ $? -ne 0 ]; then
echo "ERROR: socat binary not in PATH" 1>&2
exit 1
fi
fi
METHOD=""
# Test for a valid IPV4 quad with optional bitmask
valid_ipv4() {
echo $1 | egrep -q "^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}(/(3[0-2]|[1-2]?[0-9]))?$"
return $?
}
# Convert an IPV4 address into a 32bit integer
ipv4_val() {
IP="$1"
SHIFT=24
VAL=0
for B in $( echo "$IP" | tr '.' ' ' ); do
VAL=$(($VAL+$(($B<<$SHIFT))))
SHIFT=$(($SHIFT-8))
done
echo "$VAL"
}
# Determine if two IPs are equivalent, or if the CIDR contains the IP
match_ipv4() {
CIDR=$1
IP=$2
if [ -z "${IP%%$CIDR}" ]; then
return 0
fi
# Determine the mask bitlength
BITS=${CIDR##*/}
[ "$BITS" != "$CIDR" ] || BITS=32
if [ -z "$BITS" ]; then
return 1
fi
IPVAL=$(ipv4_val $IP)
IP2VAL=$(ipv4_val ${CIDR%%/*})
# OR in the unmasked bits
for i in $(seq 0 $((32-$BITS))); do
IP2VAL=$(($IP2VAL|$((1<<$i))))
IPVAL=$(($IPVAL|$((1<<$i))))
done
if [ $IPVAL -eq $IP2VAL ]; then
return 0
fi
return 1
}
# Test to see if GLOB matches HOST
match_host() {
HOST=$1
GLOB=$2
if [ -z "${HOST%%*$GLOB}" ]; then
return 0
fi
# Match by netmask
if valid_ipv4 $GLOB; then
for HOST_IP in $(getent ahostsv4 $HOST | grep ' STREAM ' | cut -d ' ' -f 1) ; do
if valid_ipv4 $HOST_IP; then
match_ipv4 $GLOB $HOST_IP
if [ $? -eq 0 ]; then
return 0
fi
fi
done
fi
return 1
}
# If no proxy is set or needed, just connect directly
METHOD="TCP:$1:$2"
[ -z "${ALL_PROXY}" ] && ALL_PROXY=$all_proxy
[ -z "${ALL_PROXY}" ] && ALL_PROXY=$http_proxy
if [ -z "$ALL_PROXY" ]; then
exec $SOCAT STDIO $METHOD
fi
# Connect directly to hosts in NO_PROXY
for H in $( echo "$NO_PROXY" | tr ',' ' ' ); do
if match_host $1 $H; then
exec $SOCAT STDIO $METHOD
fi
done
# Proxy is necessary, determine protocol, server, and port
# extract protocol
PROTO=${ALL_PROXY%://*}
# strip protocol:// from string
ALL_PROXY=${ALL_PROXY#*://}
# extract host & port parts:
# 1) drop username/password
PROXY=${ALL_PROXY##*@}
# 2) remove optional trailing /?
PROXY=${PROXY%%/*}
# 3) extract optional port
PORT=${PROXY##*:}
if [ "$PORT" = "$PROXY" ]; then
PORT=""
fi
# 4) remove port
PROXY=${PROXY%%:*}
# extract username & password
PROXYAUTH="${ALL_PROXY%@*}"
[ "$PROXYAUTH" = "$ALL_PROXY" ] && PROXYAUTH=
[ -n "${PROXYAUTH}" ] && PROXYAUTH=",proxyauth=${PROXYAUTH}"
if [ "$PROTO" = "socks" ] || [ "$PROTO" = "socks4a" ]; then
if [ -z "$PORT" ]; then
PORT="1080"
fi
METHOD="SOCKS4A:$PROXY:$1:$2,socksport=$PORT"
elif [ "$PROTO" = "socks4" ]; then
if [ -z "$PORT" ]; then
PORT="1080"
fi
METHOD="SOCKS4:$PROXY:$1:$2,socksport=$PORT"
else
# Assume PROXY (http, https, etc)
if [ -z "$PORT" ]; then
PORT="8080"
fi
METHOD="PROXY:$PROXY:$1:$2,proxyport=${PORT}${PROXYAUTH}"
fi
exec $SOCAT STDIO "$METHOD"