From d9d6e019633142d7f58fa35d08f297f8e0604fa9 Mon Sep 17 00:00:00 2001
From: Wolfgang Müller
Date: Wed, 10 Mar 2021 16:34:39 +0100
Subject: Improve and harden list_active

An upcoming commit will introduce support for the BOSUN_DIR environment
variable that allows users (and, crucially, the upcoming test suite) to
override the default role directory. Since we have previously assumed
that we are in full control of STOW_DIR, we now have to be more careful.

Revamp list_active such that the sed invocation no longer gets any user
input. This should protect against any nefarious contents in BOSUN_DIR.

The new approach used by list_active relies on 'realpath', a GNU-only
coreutils program, and its '--relative-base' option which prints
absolute paths unless they are below a given directory. This allows us
to filter symbolic links that do not point to a path within BOSUN_DIR.
---
 bosun | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/bosun b/bosun
index d8d0168..5d651a3 100755
--- a/bosun
+++ b/bosun
@@ -61,13 +61,14 @@ list() {
 }
 
 list_active() {
-	# Note: we de not escape any special characters in $STOW_DIR since it is
-	# assumed we are in full control of its contents.
-	# XXX: -r for xargs is a GNU extension
-	find "$STOW_DIR/.." -type l -print0 2>/dev/null \
-		| xargs -r0 readlink -f \
-		| sed -n ":^$STOW_DIR: s:^$STOW_DIR/\([^/]\+\)/.*:\1:p" \
-		| sort -u
+	real=$(realpath "$STOW_DIR")
+	cd "$STOW_DIR/.." || exit 1
+
+	# XXX: GNU extensions: -print0 for find, -r -0 for xargs
+	# XXX: GNU only: realpath
+	find -type l -print0 2>/dev/null \
+		| xargs -r0 realpath -e --relative-base "$real" 2>/dev/null \
+		| sed '/^\//d' | cut -d/ -f1 | sort -u
 }
 
 list_all() {
-- 
cgit v1.2.3-2-gb3c3