Merge pull request #285 from chef/ashiqueps/replace-io-with-file

Securiy fix - Polynomial regular expression used

Author: ashiqueps

lib/chef-cli/policyfile_lock.rb

@@ -64,7 +64,7 @@ def cookbook_version_width
       end
     end
 
-    RUN_LIST_ITEM_FORMAT = /\Arecipe\[[^\s]+::[^\s]+\]\Z/
+    RUN_LIST_ITEM_FORMAT = /\Arecipe\[([^:\s][^:\s]{0,254})::([^:\s][^:\s]{0,254})\]\Z/
 
     def self.build(storage_config)
       lock = new(storage_config)

spec/shared/custom_generator_cookbook.rb

@@ -107,7 +107,7 @@
         FileUtils.cp_r(default_generator_cookbook_path, generator_cookbook_path)
 
         # have to update metadata with the correct name
-        IO.binwrite(metadata_file, "name 'a_generator_cookbook'")
+        File.binwrite(metadata_file, "name 'a_generator_cookbook'")
       end
 
       it "creates the new files" do

spec/unit/policyfile_lock_build_spec.rb

@@ -867,6 +867,24 @@ def expect_hash_equal(actual, expected)
 
   end
 
+  context "with invalid run list items" do
+    it "detects invalid format in run list items with extra colons" do
+      expect("recipe[cookbook:default::invalid]").not_to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+
+    it "detects invalid format when a run list item has no cookbook name" do
+      expect("recipe[::recipe_name]").not_to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+
+    it "detects invalid format when a run list item has no recipe name" do
+      expect("recipe[cookbook::]").not_to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+
+    it "validates proper recipe format correctly" do
+      expect("recipe[cookbook::recipe_name]").to match(ChefCLI::PolicyfileLock::RUN_LIST_ITEM_FORMAT)
+    end
+  end
+
   describe "building a policyfile lock from a policyfile compiler" do
 
     include_context "setup git cookbooks"