Merge pull request #311 from github/xn4p4lm-rsync-patch

xN4P4LM · web-flow · commit fd7d2c833e76 · 2023-05-05T11:46:57.000-04:00
Adding check to add trusted sender if supported
diff --git a/bin/ghe-host-check b/bin/ghe-host-check
@@ -153,8 +153,8 @@ if [[ "$CALLING_SCRIPT" == "ghe-backup" ]]; then
   . "$(dirname "${BASH_SOURCE[0]}")/../share/github-backup-utils/requirements.txt"
 
   #source disk size file
-  # shellcheck source=share/github-backup-utils/ghe-rsync-size.sh
-  . "$(dirname "${BASH_SOURCE[0]}")/../share/github-backup-utils/ghe-rsync-size.sh"
+  # shellcheck source=share/github-backup-utils/ghe-rsync-size
+  . "$(dirname "${BASH_SOURCE[0]}")/../share/github-backup-utils/ghe-rsync-size"
 
   #Display dir requirements for repositories and mysql
   echo "Checking host for sufficient space for a backup..." 1>&2
diff --git a/share/github-backup-utils/ghe-rsync b/share/github-backup-utils/ghe-rsync
@@ -11,6 +11,7 @@ set -o pipefail
 # shellcheck source=share/github-backup-utils/ghe-backup-config
 . "$( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config"
 
+# Don't use the feature checker for expected parameters as it can cause issues with server paths
 # Check for --ignore-missing-args parameter support and remove if unavailable.
 if rsync -h | grep '\-\-ignore-missing-args' >/dev/null 2>&1; then
   parameters=("$@")
@@ -20,14 +21,35 @@ else
   done
 fi
 
-ignoreout='^(file has vanished: |rsync warning: some files vanished before they could be transferred)'
-rsync_version_check=$(rsync --version | egrep "version 3.[0-9]*.[0-9]*")
-if [ ! -z "$rsync_version_check" ]; then
+# This prepends `--trust-sender` to the parameters if supported by the current version of rsync 
+# to mitigate the degradation of performance due to the resolution of CVE-2022-29154
+# shellcheck source=share/github-backup-utils/ghe-rsync-feature-checker
+# shellcheck disable=SC2046
+if [ "$($( dirname "${BASH_SOURCE[0]}" )/ghe-rsync-feature-checker --trust-sender)" == "true" ]; then
+  parameters=("--trust-sender" "${parameters[@]}")
+fi
+
+# This loads the $GHE_EXTRA_RSYNC_OPTS from the config file if available then adds them
+# to the parameters and skip adding if already present in the parameters
+# shellcheck source=share/github-backup-utils/ghe-rsync-feature-checker
+# shellcheck disable=SC2046
+if [ -n "$GHE_EXTRA_RSYNC_OPTS" ]; then
+  for extra_opt in $GHE_EXTRA_RSYNC_OPTS; do
+    if [ "$($( dirname "${BASH_SOURCE[0]}" )/ghe-rsync-feature-checker "$extra_opt")" == "true" ]; then
+      parameters+=("$extra_opt")
+    fi
+  done
+fi
+
+
+ignore_out='^(file has vanished: |rsync warning: some files vanished before they could be transferred)'
+rsync_version_check=$(rsync --version | grep -E "version 3.[0-9]*.[0-9]*")
+if [ -n "$rsync_version_check" ]; then
   # rsync >= 3.x sends errors to stderr. so, we need to redirect to stdout before the pipe
-  rsync "${parameters[@]}" $GHE_EXTRA_RSYNC_OPTS 2>&1 | (egrep -v "$ignoreout" || true)
+  rsync "${parameters[@]}" 2>&1 | (grep -E -v "$ignore_out" || true)
 else
   # rsync <3.x sends errors to stdout.
-  rsync "${parameters[@]}" $GHE_EXTRA_RSYNC_OPTS | (egrep -v "$ignoreout" || true)
+  rsync "${parameters[@]}" | (grep -E -v "$ignore_out" || true)
 fi
 res=$?
 
diff --git a/share/github-backup-utils/ghe-rsync-feature-checker b/share/github-backup-utils/ghe-rsync-feature-checker
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#/ Usage: ghe-rsync-feature-checker <rsync-command>
+#/ returns true if the passed rsync command is supported by the current version of rsync
+#/ returns false if the passed rsync command is not supported by the current version of rsync
+#/
+
+set -o pipefail
+
+# set the variable from the first argument and remove any leading dashes
+rsync_command=$(echo "$1" | sed -E 's/^-+//')
+
+# check if the passed rsync command is supported by the current version of rsync
+if rsync -h | grep -E "\B-+($rsync_command)\b" >/dev/null 2>&1; then
+  echo "true"
+else
+  echo "false"
+fi
diff --git a/share/github-backup-utils/ghe-rsync-size b/share/github-backup-utils/ghe-rsync-size
diff --git a/test/test-ghe-rsync-feature-checker.sh b/test/test-ghe-rsync-feature-checker.sh
@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+# ghe-rsync-feature-checker command tests
+
+TESTS_DIR="$PWD/$(dirname "$0")"
+# Bring in testlib.
+# shellcheck source=test/testlib.sh
+. "$TESTS_DIR/testlib.sh"
+
+## testing for known supported command help with and without leading dashes
+
+begin_test "Testing ghe-rsync-feature-checker for known supported command --help"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker --help | grep -q "true"
+)
+end_test
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command help"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker help | grep -q "true"
+)
+end_test
+
+## testing with known unsupported command not-an-actual-feature with and without leading dashes
+
+begin_test "Testing ghe-rsync-feature-checker with known unsupported command --not-an-actual-feature"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command 
+    ghe-rsync-feature-checker --not-an-actual-feature | grep -q "false"
+    
+)
+end_test
+
+begin_test "Testing ghe-rsync-feature-checker with known unsupported command not-an-actual-feature"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker not-an-actual-feature | grep -q "false"
+)
+end_test
+
+## testing with known supported command partial with and without leading dashes
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command --partial"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker --partial | grep -q "true"
+)
+end_test
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command partial"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker partial | grep -q "true"
+)
+end_test
+
+## testing with known supported command -v with and without leading dashes
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command -v"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker -v | grep -q "true"
+)
+end_test
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command v"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker v | grep -q "true"
+)
+end_test
+
+## testing with known supported command --verbose with and without leading dashes
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command --verbose"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker --verbose | grep -q "true"
+)
+end_test
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command verbose"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker verbose | grep -q "true"
+)
+end_test
+
+## testing with known supported command ignore-missing-args with and without leading dashes
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command --ignore-missing-args"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker "--ignore-missing-args" | grep -q "true"
+)
+end_test
+
+begin_test "Testing ghe-rsync-feature-checker with known supported command ignore-missing-args"
+(
+    set -e
+
+    # Test ghe-rsync-feature-checker command
+    ghe-rsync-feature-checker "ignore-missing-args" | grep -q "true"
+)
+end_test
