Compare commits
4 Commits
527895a377
...
tweak/grav
| Author | SHA1 | Date | |
|---|---|---|---|
|
ac78066657 | ||
|
|
f4a395cb06 | ||
|
|
0cfc02cbab | ||
|
|
4e191da1a0 |
6
.github/workflows/codeql-analysis.yml
vendored
6
.github/workflows/codeql-analysis.yml
vendored
@@ -29,12 +29,12 @@ jobs:
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
-
|
||||
name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 #v4.30.9
|
||||
uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 #v4.30.8
|
||||
with:
|
||||
languages: 'python'
|
||||
-
|
||||
name: Autobuild
|
||||
uses: github/codeql-action/autobuild@16140ae1a102900babc80a33c44059580f687047 #v4.30.9
|
||||
uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5 #v4.30.8
|
||||
-
|
||||
name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 #v4.30.9
|
||||
uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 #v4.30.8
|
||||
|
||||
2
.github/workflows/test.yml
vendored
2
.github/workflows/test.yml
vendored
@@ -43,7 +43,7 @@ jobs:
|
||||
ignore_words_file: .codespellignore
|
||||
|
||||
- name: Get editorconfig-checker
|
||||
uses: editorconfig-checker/action-editorconfig-checker@5ecdd656fe347c26f76b1b435b90e1d74fb5e787 # tag v2. is really out of date
|
||||
uses: editorconfig-checker/action-editorconfig-checker@1a41284d59c6fe7f1b21ddc4a2b36400a33dc1b4 # tag v2. is really out of date
|
||||
|
||||
- name: Run editorconfig-checker
|
||||
run: editorconfig-checker
|
||||
|
||||
69
gravity.sh
69
gravity.sh
@@ -611,8 +611,8 @@ compareLists() {
|
||||
# Download specified URL and perform checks on HTTP status and file content
|
||||
gravity_DownloadBlocklistFromUrl() {
|
||||
local url="${1}" adlistID="${2}" saveLocation="${3}" compression="${4}" gravity_type="${5}" domain="${6}"
|
||||
local listCurlBuffer str httpCode success="" ip customUpstreamResolver=""
|
||||
local file_path ip_addr port blocked=false download=true
|
||||
local listCurlBuffer str curlJson httpCode curlErrorMsg="" curlExitCode="" success="" ip customUpstreamResolver=""
|
||||
local file_path permissions ip_addr port blocked=false download=true
|
||||
# modifiedOptions is an array to store all the options used to check if the adlist has been changed upstream
|
||||
local modifiedOptions=()
|
||||
|
||||
@@ -721,54 +721,48 @@ gravity_DownloadBlocklistFromUrl() {
|
||||
fi
|
||||
fi
|
||||
|
||||
# If we "download" a local file (file://), verify read access before using it.
|
||||
# When running as root (e.g., via pihole -g), check that the 'pihole' user can read the file
|
||||
# to match the effective runtime user of FTL; otherwise, check the current user's read access
|
||||
# (e.g., in Docker or when invoked by a non-root user). The target must
|
||||
# resolve to a regular file and be readable by the evaluated user.
|
||||
if [[ "${url}" == "file:/"* ]]; then
|
||||
# If we are going to "download" a local file, we first check if the target
|
||||
# file has a+r permission. We explicitly check for all+read because we want
|
||||
# to make sure that the file is readable by everyone and not just the user
|
||||
# running the script.
|
||||
if [[ $url == "file://"* ]]; then
|
||||
# Get the file path
|
||||
file_path=$(echo "${url}" | cut -d'/' -f3-)
|
||||
file_path=$(echo "$url" | cut -d'/' -f3-)
|
||||
# Check if the file exists and is a regular file (i.e. not a socket, fifo, tty, block). Might still be a symlink.
|
||||
if [[ ! -f ${file_path} ]]; then
|
||||
# Output that the file does not exist
|
||||
echo -e "${OVER} ${CROSS} ${file_path} does not exist"
|
||||
download=false
|
||||
if [[ ! -f $file_path ]]; then
|
||||
# Output that the file does not exist
|
||||
echo -e "${OVER} ${CROSS} ${file_path} does not exist"
|
||||
download=false
|
||||
else
|
||||
if [ "$(id -un)" == "root" ]; then
|
||||
# If we are root, we need to check if the pihole user has read permission
|
||||
# otherwise, we might read files that the pihole user should not be able to read
|
||||
if sudo -u pihole test -r "${file_path}"; then
|
||||
echo -e "${OVER} ${INFO} Using local file ${file_path}"
|
||||
else
|
||||
echo -e "${OVER} ${CROSS} Cannot read file (user 'pihole' lacks read permission)"
|
||||
download=false
|
||||
fi
|
||||
else
|
||||
# If we are not root, we just check if the current user has read permission
|
||||
if [[ -r "${file_path}" ]]; then
|
||||
# Output that we are using the local file
|
||||
echo -e "${OVER} ${INFO} Using local file ${file_path}"
|
||||
else
|
||||
# Output that the file is not readable by the current user
|
||||
echo -e "${OVER} ${CROSS} Cannot read file (current user '$(id -un)' lacks read permission)"
|
||||
download=false
|
||||
fi
|
||||
fi
|
||||
# Check if the file or a file referenced by the symlink has a+r permissions
|
||||
permissions=$(stat -L -c "%a" "$file_path")
|
||||
if [[ $permissions == *4 || $permissions == *5 || $permissions == *6 || $permissions == *7 ]]; then
|
||||
# Output that we are using the local file
|
||||
echo -e "${OVER} ${INFO} Using local file ${file_path}"
|
||||
else
|
||||
# Output that the file does not have the correct permissions
|
||||
echo -e "${OVER} ${CROSS} Cannot read file (file needs to have a+r permission)"
|
||||
download=false
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check for allowed protocols
|
||||
if [[ $url != "http"* && $url != "https"* && $url != "file"* && $url != "ftp"* && $url != "ftps"* && $url != "sftp"* ]]; then
|
||||
echo -e "${OVER} ${CROSS} ${str} Invalid protocol specified. Ignoring list."
|
||||
echo -e " Ensure your URL starts with a valid protocol like http:// , https:// or file:// ."
|
||||
echo -e "Ensure your URL starts with a valid protocol like http:// , https:// or file:// ."
|
||||
download=false
|
||||
fi
|
||||
|
||||
if [[ "${download}" == true ]]; then
|
||||
httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression:+${compression}} ${customUpstreamResolver:+${customUpstreamResolver}} "${modifiedOptions[@]}" -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2>/dev/null)
|
||||
curlJson=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression:+${compression}} ${customUpstreamResolver:+${customUpstreamResolver}} "${modifiedOptions[@]}" -w "%{json}" "${url}" -o "${listCurlBuffer}")
|
||||
fi
|
||||
|
||||
# Retrieve the HTTP code, exit code and error message returned by curl command
|
||||
httpCode=$(echo "${curlJson}" | jq '.http_code')
|
||||
curlErrorMsg=$(echo "${curlJson}" | jq '.errormsg')
|
||||
curlExitCode=$(echo "${curlJson}" | jq '.exitcode')
|
||||
|
||||
case $url in
|
||||
# Did we "download" a local file?
|
||||
"file"*)
|
||||
@@ -791,7 +785,6 @@ gravity_DownloadBlocklistFromUrl() {
|
||||
echo -e "${OVER} ${TICK} ${str} No changes detected"
|
||||
success=true
|
||||
;;
|
||||
"000") echo -e "${OVER} ${CROSS} ${str} Connection Refused" ;;
|
||||
"403") echo -e "${OVER} ${CROSS} ${str} Forbidden" ;;
|
||||
"404") echo -e "${OVER} ${CROSS} ${str} Not found" ;;
|
||||
"408") echo -e "${OVER} ${CROSS} ${str} Time-out" ;;
|
||||
@@ -800,7 +793,7 @@ gravity_DownloadBlocklistFromUrl() {
|
||||
"504") echo -e "${OVER} ${CROSS} ${str} Connection Timed Out (Gateway)" ;;
|
||||
"521") echo -e "${OVER} ${CROSS} ${str} Web Server Is Down (Cloudflare)" ;;
|
||||
"522") echo -e "${OVER} ${CROSS} ${str} Connection Timed Out (Cloudflare)" ;;
|
||||
*) echo -e "${OVER} ${CROSS} ${str} ${url} (${httpCode})" ;;
|
||||
*) echo -e "${OVER} ${CROSS} ${str} Failure (exit_code=${COL_RED}${curlExitCode}${COL_NC} Msg: ${COL_CYAN}${curlErrorMsg}${COL_NC})" ;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
@@ -1141,7 +1134,7 @@ fi
|
||||
|
||||
if [[ "${forceDelete:-}" == true ]]; then
|
||||
str="Deleting existing list cache"
|
||||
echo -ne " ${INFO} ${str}..."
|
||||
echo -ne "${INFO} ${str}..."
|
||||
|
||||
rm "${listsCacheDir}/list.*" 2>/dev/null || true
|
||||
echo -e "${OVER} ${TICK} ${str}"
|
||||
|
||||
Reference in New Issue
Block a user