-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalidate-inputs-release.sh
More file actions
executable file
·77 lines (62 loc) · 2.58 KB
/
validate-inputs-release.sh
File metadata and controls
executable file
·77 lines (62 loc) · 2.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/bin/bash
#################################################################################################################################
# validate-inputs-release.sh
# Created on 03/28/2025
#
# Copyright (C) 2025 Mehmet Bertan Tarakcioglu, Under the MIT License
#
# This file was originally created as part of the WatchDuck project CI Pipeline.
#################################################################################################################################
# !!!!!!!!!! Only use this for the release workflow !!!!!!!!!!
# This script is meant to run on a GitHub macOS Action Runner as part of the Swift-Executable-CI workflows!
# It assumes to be part of the workflow and may fail if it is being run by itself.
# This script validates and sanitizes the inputs for the workflow to harden against malicious input.
# Exit on error and disallow unset variables
set -euo pipefail
# Validate inputs are not empty
if [[ -z "${EXEC_NAME:-}" ]]; then
echo "Missing executable name"
exit 1
fi
if [[ -z "${NEW_TAG:-}" ]]; then
echo "Missing version tag"
exit 1
fi
if [[ -z "${SWIFT_TOOLCHAIN_VERSION:-}" || -z "${LINUX_SDK_URL:-}" ]]; then
echo "Missing Swift toolchain or SDK URL"
exit 1
fi
# Validate executable name format with anchored regex for exact matching
if [[ ! "${EXEC_NAME}" =~ ^[a-zA-Z0-9_-]+$ ]]; then
echo "Invalid executable name"
exit 1
fi
# Validate semantic version format with proper SemVer regex (anchored)
if [[ ! "${NEW_TAG}" =~ ^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-([0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*))?(\+([0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*))?$ ]]; then
echo "Invalid tag format"
exit 1
fi
# Escape NEW_TAG and write it back to itself
NEW_TAG=$(printf '%s' "${NEW_TAG}" | sed -e 's/[\&/\\]/\\&/g')
# Check for URL safety
if [[ ! "${LINUX_SDK_URL}" =~ ^https?://[a-zA-Z0-9.-]+(:[0-9]+)?(/.*)?$ ]]; then
echo "Invalid SDK URL"
exit 1
fi
# Extract domain and enforce swift.org
DOMAIN=$(echo "${LINUX_SDK_URL}" | awk -F/ '{print $3}')
if [[ "${DOMAIN}" != "swift.org" && ! "${DOMAIN}" =~ \.swift\.org$ ]]; then
echo "Untrusted domain: ${DOMAIN}"
exit 1
fi
# Validate Swift version in SDK URL
SDK_VERSION_PATTERN=$(printf '%s' "${SWIFT_TOOLCHAIN_VERSION}" | sed 's/[.]/\\./g')
if ! echo "${LINUX_SDK_URL}" | grep -q -E "${SDK_VERSION_PATTERN}"; then
echo "The Swift version in the Linux Statick SDK does not match the provided Swift toolchain version for Swift Setup!"
exit 1
fi
# Only check tag existence AFTER validating the tag format
if git ls-remote --tags origin | grep -q "refs/tags/${NEW_TAG}$"; then
echo "Tag already exists"
exit 1
fi