From b893c0a7caa7774a4d18d4a03f8ecbe3be4e6642 Mon Sep 17 00:00:00 2001
From: Harald Sitter <sitter@kde.org>
Date: Mon, 26 Feb 2018 11:09:03 +0100
Subject: [PATCH] prevent removal of a PublishedStorage's root dir

presently there is no use case where we need this. on the other hand,
passing empty paths into any of the remove methods is indicative of a bug.
this is particularly dangerous as this can temporarily smash the publish
root but later restore it again when actually publishing. this makes
for super nasty and hard to track down problems.

to guard against this simply disallow root dir removal using empty
strings. should we find a use case for this in the future we can always
revisit this (FTR: I think very explicitly API should be used so everyone
knows what is going on and you can't accidentally run it)
---
 files/public.go      |  6 ++++++
 files/public_test.go | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/files/public.go b/files/public.go
index a9753003..9929d86d 100644
--- a/files/public.go
+++ b/files/public.go
@@ -97,12 +97,18 @@ func (storage *PublishedStorage) PutFile(path string, sourceFilename string) err
 
 // Remove removes single file under public path
 func (storage *PublishedStorage) Remove(path string) error {
+	if len(path) <= 0 {
+		panic("trying to remove empty path")
+	}
 	filepath := filepath.Join(storage.rootPath, path)
 	return os.Remove(filepath)
 }
 
 // RemoveDirs removes directory structure under public path
 func (storage *PublishedStorage) RemoveDirs(path string, progress aptly.Progress) error {
+	if len(path) <= 0 {
+		panic("trying to remove the root directory")
+	}
 	filepath := filepath.Join(storage.rootPath, path)
 	if progress != nil {
 		progress.Printf("Removing %s...\n", filepath)
diff --git a/files/public_test.go b/files/public_test.go
index 3ffe3121..38a5093e 100644
--- a/files/public_test.go
+++ b/files/public_test.go
@@ -320,3 +320,19 @@ func (s *PublishedStorageSuite) TestLinkFromPool(c *C) {
 	err = s.storageCopySize.LinkFromPool(filepath.Join("", "pool", "main", "m/mars-invaders"), "mars-invaders_1.03.deb", pool, srcPoolPath, sourceChecksum, false)
 	c.Check(err, IsNil)
 }
+
+func (s *PublishedStorageSuite) TestRootRemove(c *C) {
+	// Prevent deletion of the root directory by passing empty subpaths.
+
+	pwd := c.MkDir()
+
+	// Symlink
+	linkedDir := filepath.Join(pwd, "linkedDir")
+	os.Symlink(s.root, linkedDir)
+	linkStorage := NewPublishedStorage(linkedDir, "", "")
+	c.Assert(func() { linkStorage.Remove("") }, PanicMatches, "trying to remove empty path")
+
+	// Actual dir
+	dirStorage := NewPublishedStorage(pwd, "", "")
+	c.Assert(func() { dirStorage.RemoveDirs("", nil) }, PanicMatches, "trying to remove the root directory")
+}