fix: v0.1.1 - Alle Build-Fehler behoben, HTTP 400 gefixt
- PKGBUILD Fetcher: korrekte AUR URL (?h=package) - chrono::Duration statt Instant für Cache-Prüfung - directories crate statt dirs - async/await Korrekturen - Display Traits für Enums - Scanner mutability Test: aegisaur scan gtkimageview => 93/100 SICHER
This commit is contained in:
+137
-39
@@ -1,49 +1,147 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# An example hook script to verify what is about to be committed.
|
||||
# Called by "git commit" with no arguments. The hook should
|
||||
# exit with non-zero status after issuing an appropriate message if
|
||||
# it wants to stop the commit.
|
||||
#
|
||||
# To enable this hook, rename this file to "pre-commit".
|
||||
use anyhow::{Context, Result};
|
||||
use std::io::Write;
|
||||
use std::path::Path;
|
||||
use tracing::{info, warn};
|
||||
|
||||
if git rev-parse --verify HEAD >/dev/null 2>&1
|
||||
then
|
||||
against=HEAD
|
||||
else
|
||||
# Initial commit: diff against an empty tree object
|
||||
against=$(git hash-object -t tree /dev/null)
|
||||
const ALPM_HOOK_PATH: &str = "/usr/share/libalpm/hooks/aegisaur-pre-install.hook";
|
||||
const HOOK_SCRIPT_PATH: &str = "/usr/share/libalpm/hooks/aegisaur-check.sh";
|
||||
|
||||
/// Installiert den ALPM-Hook für Pre-Install-Checks
|
||||
pub fn install_alpm_hook() -> Result<()> {
|
||||
// Hook-Definition
|
||||
let hook_content = r#"[Trigger]
|
||||
Operation = Install
|
||||
Operation = Upgrade
|
||||
Type = Package
|
||||
Target = *
|
||||
|
||||
[Action]
|
||||
Description = AegisAUR Security Scan
|
||||
When = PreTransaction
|
||||
Exec = /usr/share/libalpm/hooks/aegisaur-check.sh
|
||||
NeedsTargets
|
||||
AbortOnFail
|
||||
"#;
|
||||
|
||||
// Shell-Script, das aegisaur aufruft
|
||||
let script_content = r#"#!/bin/bash
|
||||
# AegisAUR Pre-Install Hook
|
||||
# Prüft Pakete vor der Installation
|
||||
|
||||
AUR_SCANNER="/usr/bin/aegisaur"
|
||||
TMPFILE=$(mktemp)
|
||||
|
||||
# Alle zu installierenden Pakete durch aegisaur prüfen
|
||||
while read -r package; do
|
||||
# Nur AUR-Pakete prüfen (Foreign packages)
|
||||
if pacman -Qi "$package" >/devdev/null 2>&1; then
|
||||
# Paket ist bereits installiert (Upgrade)
|
||||
continue
|
||||
fi
|
||||
|
||||
# Prüfe ob es ein AUR/Foreign Paket ist
|
||||
if pacman -Si "$package" >/dev/null 2>&1; then
|
||||
# Offizielles Repo-Paket, immer OK
|
||||
continue
|
||||
fi
|
||||
|
||||
# AUR Paket gefunden - scanne es
|
||||
if [[ -x "$AUR_SCANNER" ]]; then
|
||||
RESULT=$($AUR_SCANNER scan "$package" --json 2>/devnull)
|
||||
SCORE=$(echo "$RESULT" | grep -oP '"score":\s*\K\d+')
|
||||
STATUS=$(echo "$RESULT" | grep -oP '"status":\s*"\K[^"]+')
|
||||
|
||||
if [[ "$STATUS" == "IOCDetected" ]] || [[ "$STATUS" == "Dangerous" ]]; then
|
||||
echo ""
|
||||
echo "╔════════════════════════════════════════════════════════════════╗"
|
||||
echo "║ 🚨 AEGISAUR SECURITY ALERT 🚨 ║"
|
||||
echo "╚════════════════════════════════════════════════════════════════╝"
|
||||
echo ""
|
||||
echo "Paket: $package"
|
||||
echo "Status: $STATUS"
|
||||
echo "Score: $SCORE/100"
|
||||
echo ""
|
||||
echo "⚠️ DIESES PAKET IST ALS GEFÄHRLICH EINGESTUFT!"
|
||||
echo ""
|
||||
echo "Möchtest du die Installation abbrechen? (Ja/Nein)"
|
||||
read -r response
|
||||
if [[ "$response" =~ ^[Jj]([Aa]|$) ]]; then
|
||||
echo "Installation abgebrochen."
|
||||
rm -f "$TMPFILE"
|
||||
exit 1
|
||||
fi
|
||||
echo "WARNUNG: Installation wird fortgesetzt auf eigenes Risiko!"
|
||||
echo "$package ($STATUS - Score: $SCORE)" >> "$TMPFILE"
|
||||
elif [[ "$STATUS" == "Suspicious" ]] || [[ "$STATUS" == "Warning" ]]; then
|
||||
echo ""
|
||||
echo "⚠️ AegisAUR Warnung für $package: $STATUS (Score: $SCORE/100)"
|
||||
echo "$package ($STATUS - Score: $SCORE)" >> "$TMPFILE"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Zusammenfassung anzeigen falls Warnungen vorhanden
|
||||
if [[ -s "$TMPFILE" ]]; then
|
||||
echo ""
|
||||
echo "╔══════════════════════════════════════════════════════════════╗"
|
||||
echo "║ AegisAUR Scan Zusammenfassung ║"
|
||||
echo "╚══════════════════════════════════════════════════════════════╝"
|
||||
cat "$TMPFILE"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
# If you want to allow non-ASCII filenames set this variable to true.
|
||||
allownonascii=$(git config --type=bool hooks.allownonascii)
|
||||
rm -f "$TMPFILE"
|
||||
exit 0
|
||||
"#;
|
||||
|
||||
# Redirect output to stderr.
|
||||
exec 1>&2
|
||||
// Hook-Datei schreiben
|
||||
info!("Schreibe ALPM Hook: {}", ALPM_HOOK_PATH);
|
||||
let mut hook_file = std::fs::File::create(ALPM_HOOK_PATH)
|
||||
.context("Konnte ALPM Hook nicht erstellen (Root-Rechte nötig)")?;
|
||||
hook_file.write_all(hook_content.as_bytes())?;
|
||||
|
||||
# Cross platform projects tend to avoid non-ASCII filenames; prevent
|
||||
# them from being added to the repository. We exploit the fact that the
|
||||
# printable range starts at the space character and ends with tilde.
|
||||
if [ "$allownonascii" != "true" ] &&
|
||||
# Note that the use of brackets around a tr range is ok here, (it's
|
||||
# even required, for portability to Solaris 10's /usr/bin/tr), since
|
||||
# the square bracket bytes happen to fall in the designated range.
|
||||
test $(git diff-index --cached --name-only --diff-filter=A -z $against |
|
||||
LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
|
||||
then
|
||||
cat <<\EOF
|
||||
Error: Attempt to add a non-ASCII file name.
|
||||
// Script schreiben
|
||||
info!("Schreibe Hook-Script: {}", HOOK_SCRIPT_PATH);
|
||||
let mut script_file = std::fs::File::create(HOOK_SCRIPT_PATH)
|
||||
.context("Konnte Hook-Script nicht erstellen")?;
|
||||
script_file.write_all(script_content.as_bytes())?;
|
||||
|
||||
This can cause problems if you want to work with people on other platforms.
|
||||
// Script executable machen
|
||||
#[cfg(unix)]
|
||||
{
|
||||
use std::os::unix::fs::PermissionsExt;
|
||||
let mut perms = std::fs::metadata(HOOK_SCRIPT_PATH)?.permissions();
|
||||
perms.set_mode(0o755);
|
||||
std::fs::set_permissions(HOOK_SCRIPT_PATH, perms)?;
|
||||
}
|
||||
|
||||
To be portable it is advisable to rename the file.
|
||||
info!("ALPM Hook erfolgreich installiert");
|
||||
Ok(())
|
||||
}
|
||||
|
||||
If you know what you are doing you can disable this check using:
|
||||
/// Entfernt den ALPM-Hook
|
||||
pub fn remove_alpm_hook() -> Result<()> {
|
||||
info!("Entferne ALPM Hook...");
|
||||
|
||||
git config hooks.allownonascii true
|
||||
EOF
|
||||
exit 1
|
||||
fi
|
||||
if Path::new(ALPM_HOOK_PATH).exists() {
|
||||
std::fs::remove_file(ALPM_HOOK_PATH)?;
|
||||
info!("Hook-Datei entfernt: {}", ALPM_HOOK_PATH);
|
||||
} else {
|
||||
warn!("Hook-Datei nicht gefunden: {}", ALPM_HOOK_PATH);
|
||||
}
|
||||
|
||||
# If there are whitespace errors, print the offending file names and fail.
|
||||
exec git diff-index --check --cached $against --
|
||||
if Path::new(HOOK_SCRIPT_PATH).exists() {
|
||||
std::fs::remove_file(HOOK_SCRIPT_PATH)?;
|
||||
info!("Script entfernt: {}", HOOK_SCRIPT_PATH);
|
||||
} else {
|
||||
warn!("Script nicht gefunden: {}", HOOK_SCRIPT_PATH);
|
||||
}
|
||||
|
||||
info!("ALPM Hook erfolgreich entfernt");
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Prüft ob Hook installiert ist
|
||||
pub fn is_hook_installed() -> bool {
|
||||
Path::new(ALPM_HOOK_PATH).exists() && Path::new(HOOK_SCRIPT_PATH).exists()
|
||||
}
|
||||
Reference in New Issue
Block a user