Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
commit 0c1d3d46838c1427d17cadabf4000444bb614046 Author: Florian Weimer fweimer@redhat.com Date: Mon Oct 13 09:51:42 2014 +0200
Shell: Use a snippet for the input validation example
Add self-tests to the snippet code. Mention that this construct is bash-specific.
Fixes the broken regular expression spotted by Eric Blake.
defensive-coding/en-US/Shell.xml | 27 ++++++------- ...ons-snprintf.xml => Shell-Input_Validation.xml} | 10 +++- defensive-coding/src/Shell-Input_Validation.sh | 41 ++++++++++++++++++++ 3 files changed, 61 insertions(+), 17 deletions(-)
diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml index f889dc1..d6a9465 100644 --- a/defensive-coding/en-US/Shell.xml +++ b/defensive-coding/en-US/Shell.xml @@ -398,23 +398,22 @@ trap cleanup 0 linkend="sect-Defensive_Coding-Shell-Arithmetic"/>. </para> <para> - The following construct can be used to check if a string - “<literal>$value</literal>” is an integer. + <xref linkend="ex-Defensive_Coding-Shell-Input_Validation"/> + shows a construct which can be used to check if a string + “<literal>$value</literal>” is an integer. This construct is + specific to <application>bash</application> and not portable to + POSIX shells. </para> - <informalexample> - <programlisting language="Bash"> -if [[ $value =~ ^-?[0-9]$ ]] ; then - echo value is an integer -else - echo "value is not an integer" 1>&2 - exit 1 -fi - </programlisting> - </informalexample> + <example id="ex-Defensive_Coding-Shell-Input_Validation"> + <title>Input validation in <application>bash</application></title> + <xi:include href="snippets/Shell-Input_Validation.xml" + xmlns:xi="http://www.w3.org/2001/XInclude" /> + </example> <para> Using <literal>case</literal> statements for input validation is - also possible, but the pattern language is more restrictive, and - it can be difficult to write suitable patterns. + also possible and supported by other (POSIX) shells, but the + pattern language is more restrictive, and it can be difficult to + write suitable patterns. </para> <para> The <literal>expr</literal> external command can give misleading diff --git a/defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml b/defensive-coding/en-US/snippets/Shell-Input_Validation.xml similarity index 60% copy from defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml copy to defensive-coding/en-US/snippets/Shell-Input_Validation.xml index dc790d8..61cb7d1 100644 --- a/defensive-coding/en-US/snippets/C-String-Functions-snprintf.xml +++ b/defensive-coding/en-US/snippets/Shell-Input_Validation.xml @@ -2,7 +2,11 @@ <!DOCTYPE programlisting PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ ]> <!-- Automatically generated file. Do not edit. --> -<programlisting language="C"> -char fraction[30]; -snprintf(fraction, sizeof(fraction), "%d/%d", numerator, denominator); +<programlisting language="Bash"> +if [[ $value =~ ^-?[0-9]+$ ]] ; then + echo value is an integer +else + echo "value is not an integer" 1>&2 + exit 1 +fi </programlisting> diff --git a/defensive-coding/src/Shell-Input_Validation.sh b/defensive-coding/src/Shell-Input_Validation.sh new file mode 100644 index 0000000..2b86a49 --- /dev/null +++ b/defensive-coding/src/Shell-Input_Validation.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +validate () { + local value="$1" + #+ Shell Input_Validation + if [[ $value =~ ^-?[0-9]+$ ]] ; then + echo value is an integer + else + echo "value is not an integer" 1>&2 + exit 1 + fi + #- +} + +check_validate () { + local value="$1" + local expected="$2" + ( + validate "$value" + ) >/dev/null 2>/dev/null + result="$?" + if ! test "$result" -eq "$expected" ; then + echo "failure: validate "$value" $expected -> got $result" + fi +} + +check_validate "" 1 +check_validate "0" 0 +check_validate "9" 0 +check_validate "-0" 0 +check_validate "-9" 0 +check_validate "10" 0 +check_validate "19" 0 +check_validate "-10" 0 +check_validate "-19" 0 +check_validate " 0" 1 +check_validate "--1" 1 +check_validate "1-" 1 +check_validate "1 || 0" 1 +check_validate '1$(kill -9 $PPID)' 1 +check_validate '2$(id)' 1
security@lists.fedoraproject.org