Fix the vulnerability

Signed-off-by: Jiyeong Seok <[email protected]>

Author: dd-jy

script/generate-notice-files.py

@@ -77,7 +77,7 @@ def html_escape(text):
 def combine_notice_files_html(file_hash, input_dirs, output_filename):
     """Combine notice files in FILE_HASH and output a HTML version to OUTPUT_FILENAME."""
 
-    SRC_DIR_STRIP_RE = re.compile("(?:" + "|".join(input_dirs) + ")(/.*).txt")
+    SRC_DIR_STRIP_RE = re.compile("(?:" + "|".join(re.escape(input_dirs)) + ")(/.*).txt")
 
     # Set up a filename to row id table (anchors inside tables don't work in
     # most browsers, but href's to table row ids do)
@@ -135,7 +135,7 @@ def combine_notice_files_html(file_hash, input_dirs, output_filename):
 def combine_notice_files_text(file_hash, input_dirs, output_filename, file_title):
     """Combine notice files in FILE_HASH and output a text version to OUTPUT_FILENAME."""
 
-    SRC_DIR_STRIP_RE = re.compile("(?:" + "|".join(input_dirs) + ")(/.*).txt")
+    SRC_DIR_STRIP_RE = re.compile("(?:" + "|".join(re.escape(input_dirs)) + ")(/.*).txt")
     output_file = open(output_filename, "wb")
     print >> output_file, file_title
     for value in file_hash:
@@ -150,7 +150,7 @@ def combine_notice_files_text(file_hash, input_dirs, output_filename, file_title
 def combine_notice_files_xml(files_with_same_hash, input_dirs, output_filename):
     """Combine notice files in FILE_HASH and output a XML version to OUTPUT_FILENAME."""
 
-    SRC_DIR_STRIP_RE = re.compile("(?:" + "|".join(input_dirs) + ")(/.*).txt")
+    SRC_DIR_STRIP_RE = re.compile("(?:" + "|".join(re.escape(input_dirs)) + ")(/.*).txt")
 
     # Set up a filename to row id table (anchors inside tables don't work in
     # most browsers, but href's to table row ids do)

src/fosslight_android/_binary_db_controller.py

@@ -14,12 +14,15 @@
 columns = ['filename', 'pathname', 'checksum', 'tlshchecksum', 'ossname', 'ossversion', 'license', 'platformname',
            'platformversion']
 
+DB_USER = 'bin_analysis_script_user'
+DB_PSWD = 'script_123'
+
 
 def connect_to_lge_bin_db():
     conn = ""
     cur = ""
-    user = 'bin_analysis_script_user'
-    password = 'script_123'
+    user = DB_USER
+    password = DB_PSWD
     host_product = 'bat.lge.com'
     dbname = 'bat'
     port = '5432'
@@ -73,29 +76,29 @@ def get_oss_info_from_db(platform_version, bin_info_list, return_list):
 
 def get_oss_info_by_tlsh_and_filename(file_name, checksum_value, tlsh_value, source_path, platform_version, conn, cur):
     sql_statement = "SELECT filename,pathname,checksum,tlshchecksum,ossname,ossversion,license,platformname,platformversion FROM lgematching "
-    sql_statement_checksum = " WHERE filename='{fname}' AND checksum='{checksum}';".format(fname=file_name,
-                                                                                           checksum=checksum_value)  # Checking checksum first.
-    sql_statement_filename = "SELECT tlshchecksum FROM lgematching WHERE filename='{fname}' AND tlshchecksum <> '0' ORDER BY ( " \
+    sql_statement_checksum = " WHERE filename=%(fname)s AND checksum=%(checksum)s;"
+    sql_checksum_params = {'fname': file_name, 'checksum': checksum_value}
+    sql_statement_filename = "SELECT tlshchecksum FROM lgematching WHERE filename=%(fname)s AND tlshchecksum <> '0' ORDER BY ( " \
                              "CASE " \
-                             "WHEN sourcepath = '{src_path}' AND lower(platformname)='{plat_name}' " \
-                             "AND platformversion='{plat_version}' THEN 1 " \
-                             "WHEN sourcepath = '{src_path}' AND lower(platformname)='{plat_name}' THEN 2 " \
-                             "WHEN lower(platformname)='{plat_name}' AND platformversion='{plat_version}' THEN 3 " \
-                             "WHEN lower(platformname)='{plat_name}' THEN 4 " \
+                             "WHEN sourcepath = %(src_path)s AND lower(platformname)=%(plat_name)s " \
+                             "AND platformversion=%(plat_version)s THEN 1 " \
+                             "WHEN sourcepath = %(src_path)s AND lower(platformname)=%(plat_name)s THEN 2 " \
+                             "WHEN lower(platformname)=%(plat_name)s AND platformversion=%(plat_version)s THEN 3 " \
+                             "WHEN lower(platformname)=%(plat_name)s THEN 4 " \
                              "ELSE 5 " \
-                             "END), updatedate DESC;".format(fname=file_name, src_path=source_path, plat_version=platform_version,
-                                                             plat_name="android")
+                             "END), updatedate DESC;"
+    sql_filename_params = {'fname': file_name, 'src_path': source_path, 'plat_version': platform_version, 'plat_name': "android"}
     auto_id_comment = ""
     final_result_item = ""
     is_new = False
 
     # Match checksum and fileName
-    df_result = get_list_by_using_query(sql_statement + sql_statement_checksum, columns, conn, cur)
+    df_result = get_list_by_using_query(sql_statement + sql_statement_checksum, sql_checksum_params, columns, conn, cur)
     if df_result is not None and len(df_result) > 0:  # Found a file with the same checksum.
         final_result_item = df_result
     else:  # Can't find files that have same name and checksum
         # Match tlsh and fileName
-        df_result = get_list_by_using_query(sql_statement_filename, ['tlshchecksum'], conn, cur)
+        df_result = get_list_by_using_query(sql_statement_filename, sql_filename_params, ['tlshchecksum'], conn, cur)
         if df_result is None or len(df_result) <= 0:
             final_result_item = ""
             auto_id_comment = "New Binary/"
@@ -116,16 +119,15 @@ def get_oss_info_by_tlsh_and_filename(file_name, checksum_value, tlsh_value, sou
 
             if matched_tlsh != "":
                 final_result_item = get_list_by_using_query(
-                    sql_statement + " WHERE filename='{fname}' AND tlshchecksum='{tlsh}';".format(fname=file_name,
-                                                                                                  tlsh=matched_tlsh),
+                    sql_statement + " WHERE filename=%(fname)s AND tlshchecksum=%(tlsh)s;", {'fname': file_name, 'tlsh': matched_tlsh},
                     columns, conn, cur)
 
     return final_result_item, auto_id_comment, is_new
 
 
-def get_list_by_using_query(sql_query, columns, conn, cur):
+def get_list_by_using_query(sql_query, params, columns, conn, cur):
     result_rows = ""  # DataFrame
-    cur.execute(sql_query)
+    cur.execute(sql_query, params)
     rows = cur.fetchall()
 
     if rows is not None and len(rows) > 0:

src/fosslight_android/check_package_file.py

@@ -11,6 +11,7 @@
 import logging
 import json
 import sys
+import contextlib
 from datetime import datetime
 from ._util import read_file
 from fosslight_util.constant import LOGGER_NAME
@@ -126,13 +127,11 @@ def extract_file(fname):
 
         # Unzip the file.
         if fname.endswith(".tar.gz"):
-            tar = tarfile.open(fname, "r:gz")
-            tar.extractall(path=extract_path)
-            tar.close()
+            with contextlib.closing(tarfile.open(fname, "r:gz")) as t:
+                t.extractall(path=extract_path)
         elif fname.endswith(".tar"):
-            tar = tarfile.open(fname, "r:")
-            tar.extractall(path=extract_path)
-            tar.close()
+            with contextlib.closing(tarfile.open(fname, "r:")) as t:
+                t.extractall(path=extract_path)
         elif fname.endswith(".zip"):
             return unzip(fname, extract_path)
         else: