[galaxy-commits] commit/galaxy-central: 3 new changesets

22 Apr 2015

3 new commits in galaxy-central:

https://bitbucket.org/galaxy/galaxy-central/commits/74f9d06223e4/
Changeset:   74f9d06223e4
Branch:      release_14.08
User:        dan
Date:        2015-04-22 19:36:36+00:00
Summary:     Fix for abitrary code execution in the ToolShed when uploaded tools
reference a <code file=...>.

Release 14.08..15.01 version.
Affected #:  2 files

diff -r de9d5f65c15eb5a5a6b61d72d0dbbaf105ea2ccb -r 74f9d06223e40395e9b991171ab4aa21eec73b2e lib/galaxy/tools/__init__.py

--- a/lib/galaxy/tools/__init__.py
+++ b/lib/galaxy/tools/__init__.py
@@ -1062,13 +1062,14 @@
     default_tool_action = DefaultToolAction
     dict_collection_visible_keys = ( 'id', 'name', 'version', 'description' )
 
-    def __init__( self, config_file, root, app, guid=None, repository_id=None ):
+    def __init__( self, config_file, root, app, guid=None, repository_id=None, allow_code_files=True ):
         """Load a tool from the config named by `config_file`"""
         # Determine the full path of the directory where the tool config is
         self.config_file = config_file
         self.tool_dir = os.path.dirname( config_file )
         self.app = app
         self.repository_id = repository_id
+        self._allow_code_files = allow_code_files
         #setup initial attribute values
         self.inputs = odict()
         self.stdio_exit_codes = list()
@@ -1303,14 +1304,15 @@
         # "module" if it has one.  Allows us to reuse code files, etc.
         self.code_namespace = dict()
         self.hook_map = {}
-        for code_elem in root.findall("code"):
-            for hook_elem in code_elem.findall("hook"):
-                for key, value in hook_elem.items():
-                    # map hook to function
-                    self.hook_map[key] = value
-            file_name = code_elem.get("file")
-            code_path = os.path.join( self.tool_dir, file_name )
-            execfile( code_path, self.code_namespace )
+        if self._allow_code_files:
+            for code_elem in root.findall("code"):
+                for hook_elem in code_elem.findall("hook"):
+                    for key, value in hook_elem.items():
+                        # map hook to function
+                        self.hook_map[key] = value
+                file_name = code_elem.get("file")
+                code_path = os.path.join( self.tool_dir, file_name )
+                execfile( code_path, self.code_namespace )
         # Load any tool specific options (optional)
         self.options = dict( sanitize=True, refresh=False )
         for option_elem in root.findall("options"):

diff -r de9d5f65c15eb5a5a6b61d72d0dbbaf105ea2ccb -r 74f9d06223e40395e9b991171ab4aa21eec73b2e lib/tool_shed/tools/tool_validator.py
--- a/lib/tool_shed/tools/tool_validator.py
+++ b/lib/tool_shed/tools/tool_validator.py
@@ -292,7 +292,7 @@
 
     def load_tool_from_config( self, repository_id, full_path ):
         try:
-            tool = self.app.toolbox.load_tool( full_path, repository_id=repository_id )
+            tool = self.app.toolbox.load_tool( full_path, repository_id=repository_id, allow_code_files=False )
             valid = True
             error_message = None
         except KeyError, e:


https://bitbucket.org/galaxy/galaxy-central/commits/9eaf8d97dfef/
Changeset:   9eaf8d97dfef
Branch:      release_14.10
User:        dan
Date:        2015-04-22 19:40:55+00:00
Summary:     Fix for abitrary code execution in the ToolShed when uploaded tools
reference a <code file=...>.

Release 14.08..15.01 version
Affected #:  2 files

diff -r a2fad44da847abfe5c39ffdf82f10f6e4be3d1e3 -r 9eaf8d97dfef5577825c921a86df74e8dadb2134 lib/galaxy/tools/__init__.py
--- a/lib/galaxy/tools/__init__.py
+++ b/lib/galaxy/tools/__init__.py
@@ -1179,13 +1179,14 @@
     dict_collection_visible_keys = ( 'id', 'name', 'version', 'description' )
     default_template = 'tool_form.mako'
 
-    def __init__( self, config_file, root, app, guid=None, repository_id=None ):
+    def __init__( self, config_file, root, app, guid=None, repository_id=None, allow_code_files=True ):
         """Load a tool from the config named by `config_file`"""
         # Determine the full path of the directory where the tool config is
         self.config_file = config_file
         self.tool_dir = os.path.dirname( config_file )
         self.app = app
         self.repository_id = repository_id
+        self._allow_code_files = allow_code_files
         #setup initial attribute values
         self.inputs = odict()
         self.stdio_exit_codes = list()
@@ -1420,14 +1421,15 @@
         # "module" if it has one.  Allows us to reuse code files, etc.
         self.code_namespace = dict()
         self.hook_map = {}
-        for code_elem in root.findall("code"):
-            for hook_elem in code_elem.findall("hook"):
-                for key, value in hook_elem.items():
-                    # map hook to function
-                    self.hook_map[key] = value
-            file_name = code_elem.get("file")
-            code_path = os.path.join( self.tool_dir, file_name )
-            execfile( code_path, self.code_namespace )
+        if self._allow_code_files:
+            for code_elem in root.findall("code"):
+                for hook_elem in code_elem.findall("hook"):
+                    for key, value in hook_elem.items():
+                        # map hook to function
+                        self.hook_map[key] = value
+                file_name = code_elem.get("file")
+                code_path = os.path.join( self.tool_dir, file_name )
+                execfile( code_path, self.code_namespace )
         # Load any tool specific options (optional)
         self.options = dict( sanitize=True, refresh=False )
         for option_elem in root.findall("options"):

diff -r a2fad44da847abfe5c39ffdf82f10f6e4be3d1e3 -r 9eaf8d97dfef5577825c921a86df74e8dadb2134 lib/tool_shed/tools/tool_validator.py
--- a/lib/tool_shed/tools/tool_validator.py
+++ b/lib/tool_shed/tools/tool_validator.py
@@ -292,7 +292,7 @@
 
     def load_tool_from_config( self, repository_id, full_path ):
         try:
-            tool = self.app.toolbox.load_tool( full_path, repository_id=repository_id )
+            tool = self.app.toolbox.load_tool( full_path, repository_id=repository_id, allow_code_files=False )
             valid = True
             error_message = None
         except KeyError, e:


https://bitbucket.org/galaxy/galaxy-central/commits/8586ba87fdfe/
Changeset:   8586ba87fdfe
Branch:      release_15.01
User:        dan
Date:        2015-04-22 19:42:50+00:00
Summary:     Fix for abitrary code execution in the ToolShed when uploaded tools
reference a <code file=...>.

Release 14.08..15.01 version
Affected #:  2 files

diff -r 7a09c05aed7a3ca0cb64edb0e5e331d59028d86e -r 8586ba87fdfe4a3d9f3088ddb07f4466c53d3945 lib/galaxy/tools/__init__.py
--- a/lib/galaxy/tools/__init__.py
+++ b/lib/galaxy/tools/__init__.py
@@ -1238,13 +1238,14 @@
     dict_collection_visible_keys = ( 'id', 'name', 'version', 'description' )
     default_template = 'tool_form.mako'
 
-    def __init__( self, config_file, root, app, guid=None, repository_id=None ):
+    def __init__( self, config_file, root, app, guid=None, repository_id=None, allow_code_files=True ):
         """Load a tool from the config named by `config_file`"""
         # Determine the full path of the directory where the tool config is
         self.config_file = config_file
         self.tool_dir = os.path.dirname( config_file )
         self.app = app
         self.repository_id = repository_id
+        self._allow_code_files = allow_code_files
         #setup initial attribute values
         self.inputs = odict()
         self.stdio_exit_codes = list()
@@ -1485,14 +1486,15 @@
         # "module" if it has one.  Allows us to reuse code files, etc.
         self.code_namespace = dict()
         self.hook_map = {}
-        for code_elem in root.findall("code"):
-            for hook_elem in code_elem.findall("hook"):
-                for key, value in hook_elem.items():
-                    # map hook to function
-                    self.hook_map[key] = value
-            file_name = code_elem.get("file")
-            code_path = os.path.join( self.tool_dir, file_name )
-            execfile( code_path, self.code_namespace )
+        if self._allow_code_files:
+            for code_elem in root.findall("code"):
+                for hook_elem in code_elem.findall("hook"):
+                    for key, value in hook_elem.items():
+                        # map hook to function
+                        self.hook_map[key] = value
+                file_name = code_elem.get("file")
+                code_path = os.path.join( self.tool_dir, file_name )
+                execfile( code_path, self.code_namespace )
         # Load any tool specific options (optional)
         self.options = dict( sanitize=True, refresh=False )
         for option_elem in root.findall("options"):

diff -r 7a09c05aed7a3ca0cb64edb0e5e331d59028d86e -r 8586ba87fdfe4a3d9f3088ddb07f4466c53d3945 lib/tool_shed/tools/tool_validator.py
--- a/lib/tool_shed/tools/tool_validator.py
+++ b/lib/tool_shed/tools/tool_validator.py
@@ -292,7 +292,7 @@
 
     def load_tool_from_config( self, repository_id, full_path ):
         try:
-            tool = self.app.toolbox.load_tool( full_path, repository_id=repository_id )
+            tool = self.app.toolbox.load_tool( full_path, repository_id=repository_id, allow_code_files=False )
             valid = True
             error_message = None
         except KeyError, e:

Repository URL: https://bitbucket.org/galaxy/galaxy-central/

--

This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.

    

[galaxy-commits] commit/galaxy-central: 3 new changesets

commits-noreply＠bitbucket.org