2
0

binarycheck.pl 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
  1. #!/usr/bin/env perl
  2. #***************************************************************************
  3. # _ _ ____ _
  4. # Project ___| | | | _ \| |
  5. # / __| | | | |_) | |
  6. # | (__| |_| | _ <| |___
  7. # \___|\___/|_| \_\_____|
  8. #
  9. # Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  10. #
  11. # This software is licensed as described in the file COPYING, which
  12. # you should have received as part of this distribution. The terms
  13. # are also available at https://curl.se/docs/copyright.html.
  14. #
  15. # You may opt to use, copy, modify, merge, publish, distribute and/or sell
  16. # copies of the Software, and permit persons to whom the Software is
  17. # furnished to do so, under the terms of the COPYING file.
  18. #
  19. # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  20. # KIND, either express or implied.
  21. #
  22. # SPDX-License-Identifier: curl
  23. #
  24. ###########################################################################
  25. # This scripts scans the entire git repository for binary files.
  26. #
  27. # All files in the git repo that contain signs of being binary are then
  28. # collected and a sha256sum is generated for all of them. That summary is then
  29. # compared to the list of pre-vetted files so that only the exact copies of
  30. # already scrutinized files are deemed okay to "appear binary".
  31. #
  32. use strict;
  33. use warnings;
  34. my $root = ".";
  35. my $sumsfile = ".github/scripts/binarycheck.sums";
  36. if($ARGV[0]) {
  37. $root = $ARGV[0];
  38. }
  39. my @bin;
  40. my %known;
  41. my $error = 0;
  42. sub knownbins {
  43. open(my $mh, "<", "$sumsfile") ||
  44. die "can't read known binaries";
  45. while(<$mh>) {
  46. my $l = $_;
  47. chomp $l;
  48. if($l =~ /^([a-f0-9]+) (.*)/) {
  49. my ($sum, $file) = ($1, $2);
  50. $known{$file} = 1;
  51. }
  52. elsif($l =~ /^#/) {
  53. # skip comments
  54. }
  55. else {
  56. print STDERR "suspicious line in $sumsfile\n";
  57. $error++;
  58. }
  59. }
  60. close($mh);
  61. }
  62. sub checkfile {
  63. my ($file) = @_;
  64. open(my $mh, "<", "$file") || die "can't read $file";
  65. my $line = 0;
  66. while(<$mh>) {
  67. my $l = $_;
  68. $line++;
  69. if($l =~ /([\x00-\x08\x0b\x0c\x0e-\x1f\x7f])/) {
  70. push @bin, $file;
  71. if(!$known{$file}) {
  72. printf STDERR "$file:$line has unknown binary contents\n";
  73. $error++;
  74. }
  75. last;
  76. }
  77. }
  78. close($mh);
  79. }
  80. my @files = `git ls-files -- $root`;
  81. if(scalar(@files) < 3000) {
  82. # this means this is not the git source code repository or that git does
  83. # not work, error out!
  84. print STDERR "too few files in the git repository!\n";
  85. exit 1;
  86. }
  87. knownbins();
  88. if(scalar(keys %known) < 10) {
  89. print STDERR "too few known binaries in $sumsfile\n";
  90. exit 2;
  91. }
  92. for my $f (@files) {
  93. chomp $f;
  94. checkfile("$root/$f");
  95. }
  96. my $check=system("sha256sum -c $sumsfile");
  97. if($check) {
  98. print STDERR "sha256sum detected a problem\n";
  99. $error++;
  100. }
  101. exit $error;