6a97879ad0
This imports revision aa9b9dc9a9
from
https://git.yoctoproject.org/git/poky to avoid fetching it - and having
to add the missing content validation to prevent supply-chain attacks.
Reported-by: Raphael Lisicki <raphael.lisicki@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
188 lines
4.6 KiB
Bash
Executable File
188 lines
4.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# oe-git-proxy is a simple tool to be via GIT_PROXY_COMMAND. It uses socat
|
|
# to make SOCKS5 or HTTPS proxy connections.
|
|
# It uses ALL_PROXY or all_proxy or http_proxy to determine the proxy server,
|
|
# protocol, and port.
|
|
# It uses NO_PROXY to skip using the proxy for a comma delimited list of
|
|
# hosts, host globs (*.example.com), IPs, or CIDR masks (192.168.1.0/24). It
|
|
# is known to work with both bash and dash shells.
|
|
#
|
|
# Example ALL_PROXY values:
|
|
# ALL_PROXY=socks://socks.example.com:1080
|
|
# ALL_PROXY=https://proxy.example.com:8080
|
|
#
|
|
# Copyright (c) 2013, Intel Corporation.
|
|
#
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# AUTHORS
|
|
# Darren Hart <dvhart@linux.intel.com>
|
|
|
|
# disable pathname expansion, NO_PROXY fields could start with "*" or be it
|
|
set -f
|
|
|
|
if [ $# -lt 2 -o "$1" = '--help' -o "$1" = '-h' ] ; then
|
|
echo 'oe-git-proxy: error: the following arguments are required: host port'
|
|
echo 'Usage: oe-git-proxy host port'
|
|
echo ''
|
|
echo 'OpenEmbedded git-proxy - a simple tool to be used via GIT_PROXY_COMMAND.'
|
|
echo 'It uses socat to make SOCKS or HTTPS proxy connections.'
|
|
echo 'It uses ALL_PROXY to determine the proxy server, protocol, and port.'
|
|
echo 'It uses NO_PROXY to skip using the proxy for a comma delimited list'
|
|
echo 'of hosts, host globs (*.example.com), IPs, or CIDR masks (192.168.1.0/24).'
|
|
echo 'It is known to work with both bash and dash shells.runs native tools'
|
|
echo ''
|
|
echo 'arguments:'
|
|
echo ' host proxy host to use'
|
|
echo ' port proxy port to use'
|
|
echo ''
|
|
echo 'options:'
|
|
echo ' -h, --help show this help message and exit'
|
|
echo ''
|
|
exit 2
|
|
fi
|
|
|
|
# Locate the netcat binary
|
|
if [ -z "$SOCAT" ]; then
|
|
SOCAT=$(which socat 2>/dev/null)
|
|
if [ $? -ne 0 ]; then
|
|
echo "ERROR: socat binary not in PATH" 1>&2
|
|
exit 1
|
|
fi
|
|
fi
|
|
METHOD=""
|
|
|
|
# Test for a valid IPV4 quad with optional bitmask
|
|
valid_ipv4() {
|
|
echo $1 | egrep -q "^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}(/(3[0-2]|[1-2]?[0-9]))?$"
|
|
return $?
|
|
}
|
|
|
|
# Convert an IPV4 address into a 32bit integer
|
|
ipv4_val() {
|
|
IP="$1"
|
|
SHIFT=24
|
|
VAL=0
|
|
for B in $( echo "$IP" | tr '.' ' ' ); do
|
|
VAL=$(($VAL+$(($B<<$SHIFT))))
|
|
SHIFT=$(($SHIFT-8))
|
|
done
|
|
echo "$VAL"
|
|
}
|
|
|
|
# Determine if two IPs are equivalent, or if the CIDR contains the IP
|
|
match_ipv4() {
|
|
CIDR=$1
|
|
IP=$2
|
|
|
|
if [ -z "${IP%%$CIDR}" ]; then
|
|
return 0
|
|
fi
|
|
|
|
# Determine the mask bitlength
|
|
BITS=${CIDR##*/}
|
|
[ "$BITS" != "$CIDR" ] || BITS=32
|
|
if [ -z "$BITS" ]; then
|
|
return 1
|
|
fi
|
|
|
|
IPVAL=$(ipv4_val $IP)
|
|
IP2VAL=$(ipv4_val ${CIDR%%/*})
|
|
|
|
# OR in the unmasked bits
|
|
for i in $(seq 0 $((32-$BITS))); do
|
|
IP2VAL=$(($IP2VAL|$((1<<$i))))
|
|
IPVAL=$(($IPVAL|$((1<<$i))))
|
|
done
|
|
|
|
if [ $IPVAL -eq $IP2VAL ]; then
|
|
return 0
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
# Test to see if GLOB matches HOST
|
|
match_host() {
|
|
HOST=$1
|
|
GLOB=$2
|
|
|
|
if [ -z "${HOST%%*$GLOB}" ]; then
|
|
return 0
|
|
fi
|
|
|
|
# Match by netmask
|
|
if valid_ipv4 $GLOB; then
|
|
for HOST_IP in $(getent ahostsv4 $HOST | grep ' STREAM ' | cut -d ' ' -f 1) ; do
|
|
if valid_ipv4 $HOST_IP; then
|
|
match_ipv4 $GLOB $HOST_IP
|
|
if [ $? -eq 0 ]; then
|
|
return 0
|
|
fi
|
|
fi
|
|
done
|
|
fi
|
|
|
|
return 1
|
|
}
|
|
|
|
# If no proxy is set or needed, just connect directly
|
|
METHOD="TCP:$1:$2"
|
|
|
|
[ -z "${ALL_PROXY}" ] && ALL_PROXY=$all_proxy
|
|
[ -z "${ALL_PROXY}" ] && ALL_PROXY=$http_proxy
|
|
|
|
if [ -z "$ALL_PROXY" ]; then
|
|
exec $SOCAT STDIO $METHOD
|
|
fi
|
|
|
|
# Connect directly to hosts in NO_PROXY
|
|
for H in $( echo "$NO_PROXY" | tr ',' ' ' ); do
|
|
if match_host $1 $H; then
|
|
exec $SOCAT STDIO $METHOD
|
|
fi
|
|
done
|
|
|
|
# Proxy is necessary, determine protocol, server, and port
|
|
# extract protocol
|
|
PROTO=${ALL_PROXY%://*}
|
|
# strip protocol:// from string
|
|
ALL_PROXY=${ALL_PROXY#*://}
|
|
# extract host & port parts:
|
|
# 1) drop username/password
|
|
PROXY=${ALL_PROXY##*@}
|
|
# 2) remove optional trailing /?
|
|
PROXY=${PROXY%%/*}
|
|
# 3) extract optional port
|
|
PORT=${PROXY##*:}
|
|
if [ "$PORT" = "$PROXY" ]; then
|
|
PORT=""
|
|
fi
|
|
# 4) remove port
|
|
PROXY=${PROXY%%:*}
|
|
|
|
# extract username & password
|
|
PROXYAUTH="${ALL_PROXY%@*}"
|
|
[ "$PROXYAUTH" = "$ALL_PROXY" ] && PROXYAUTH=
|
|
[ -n "${PROXYAUTH}" ] && PROXYAUTH=",proxyauth=${PROXYAUTH}"
|
|
|
|
if [ "$PROTO" = "socks" ] || [ "$PROTO" = "socks4a" ]; then
|
|
if [ -z "$PORT" ]; then
|
|
PORT="1080"
|
|
fi
|
|
METHOD="SOCKS4A:$PROXY:$1:$2,socksport=$PORT"
|
|
elif [ "$PROTO" = "socks4" ]; then
|
|
if [ -z "$PORT" ]; then
|
|
PORT="1080"
|
|
fi
|
|
METHOD="SOCKS4:$PROXY:$1:$2,socksport=$PORT"
|
|
else
|
|
# Assume PROXY (http, https, etc)
|
|
if [ -z "$PORT" ]; then
|
|
PORT="8080"
|
|
fi
|
|
METHOD="PROXY:$PROXY:$1:$2,proxyport=${PORT}${PROXYAUTH}"
|
|
fi
|
|
|
|
exec $SOCAT STDIO "$METHOD"
|