Add Ehwrj clean-room live map
Some checks failed
build / build-test-publish (push) Has been cancelled
Some checks failed
build / build-test-publish (push) Has been cancelled
This commit is contained in:
33
scripts/verify-safety.sh
Executable file
33
scripts/verify-safety.sh
Executable file
@@ -0,0 +1,33 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
SEARCH_ROOTS=(
|
||||
"$ROOT_DIR/src"
|
||||
"$ROOT_DIR/tests"
|
||||
"$ROOT_DIR/tools"
|
||||
"$ROOT_DIR/scripts"
|
||||
)
|
||||
URL_SEARCH_ROOTS=(
|
||||
"$ROOT_DIR/src"
|
||||
"$ROOT_DIR/tools"
|
||||
"$ROOT_DIR/scripts"
|
||||
)
|
||||
RG_COMMON=(--glob '!verify-safety.sh' --glob '!**/bin/**' --glob '!**/obj/**')
|
||||
|
||||
DISALLOWED_PATTERN='SetClipboard|OpenClipboard|GetClipboardData|AddClipboardFormatListener|UpdateResource|BeginUpdateResource|EndUpdateResource|SHGetSpecialFolderPath|CreateMutex|WindowsUpdate|zip_work|TARGET_PATH|--merge-env|CryptUnprotectData|Login Data|wallet\.dat'
|
||||
|
||||
if rg "${RG_COMMON[@]}" -n "$DISALLOWED_PATTERN" "${SEARCH_ROOTS[@]}"; then
|
||||
echo "error: disallowed malware-adjacent capability found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
URL_PATTERN='https?://[^"[:space:]]+'
|
||||
if rg "${RG_COMMON[@]}" --glob '!*.axaml' -n "$URL_PATTERN" "${URL_SEARCH_ROOTS[@]}" \
|
||||
| rg -v 'http://(127\.0\.0\.1|localhost)(:[0-9]+)?(/[^"[:space:]]*)?' \
|
||||
| rg -v 'http://\{'; then
|
||||
echo "error: non-loopback URL literal found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Safety scan passed."
|
||||
Reference in New Issue
Block a user