34 lines
1.1 KiB
Bash
Executable File
34 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
SEARCH_ROOTS=(
|
|
"$ROOT_DIR/src"
|
|
"$ROOT_DIR/tests"
|
|
"$ROOT_DIR/tools"
|
|
"$ROOT_DIR/scripts"
|
|
)
|
|
URL_SEARCH_ROOTS=(
|
|
"$ROOT_DIR/src"
|
|
"$ROOT_DIR/tools"
|
|
"$ROOT_DIR/scripts"
|
|
)
|
|
RG_COMMON=(--glob '!verify-safety.sh' --glob '!**/bin/**' --glob '!**/obj/**')
|
|
|
|
DISALLOWED_PATTERN='SetClipboard|OpenClipboard|GetClipboardData|AddClipboardFormatListener|UpdateResource|BeginUpdateResource|EndUpdateResource|SHGetSpecialFolderPath|CreateMutex|WindowsUpdate|zip_work|TARGET_PATH|--merge-env|CryptUnprotectData|Login Data|wallet\.dat'
|
|
|
|
if rg "${RG_COMMON[@]}" -n "$DISALLOWED_PATTERN" "${SEARCH_ROOTS[@]}"; then
|
|
echo "error: disallowed malware-adjacent capability found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
URL_PATTERN='https?://[^"[:space:]]+'
|
|
if rg "${RG_COMMON[@]}" --glob '!*.axaml' -n "$URL_PATTERN" "${URL_SEARCH_ROOTS[@]}" \
|
|
| rg -v 'http://(127\.0\.0\.1|localhost)(:[0-9]+)?(/[^"[:space:]]*)?' \
|
|
| rg -v 'http://\{'; then
|
|
echo "error: non-loopback URL literal found" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "Safety scan passed."
|