Fixcve (#197)

* refactor: 移除废弃的接口

Task: https://pms.uniontech.com/task-view-379371.html

* fix: 修复任意地址文件可读写漏洞

Task: https://pms.uniontech.com/task-view-379373.html

---------

Co-authored-by: lichangze <lichangze@uniontech.com>

Author: KT-lcz

…service-trigger/LicenseInfo.service.json …service-trigger/LicenseInfo.service.jsonusr/lib/deepin-daemon/service-trigger/LicenseInfo.service.json renamed to lib/deepin-daemon/service-trigger/LicenseInfo.service.json usr/lib/deepin-daemon/service-trigger/LicenseInfo.service.json renamed to lib/deepin-daemon/service-trigger/LicenseInfo.service.json

@@ -9,4 +9,6 @@ ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
 StandardOutput=null
 StandardError=null
 StateDirectory=lastore
-CacheDirectory=lastore
+CacheDirectory=lastore
+RuntimeDirectory=lastore
+RuntimeDirectoryMode=0750

lib/systemd/system/lastore-daemon.service

@@ -101,6 +101,7 @@ clean:
 	rm -rf pkg
 	rm -rf vendor/pkg
 	rm -rf vendor/bin
+	rm -rf gopath
 
 check_code_quality:
 	${GoPath} go vet ./src/...

makefile

@@ -168,7 +168,7 @@ func parsePkgSystemError(out, err []byte) error {
 	}
 }
 
-func CheckPkgSystemError(lock bool) error {
+func CheckPkgSystemError(lock bool, indicator system.Indicator) error {
 	args := []string{"check"}
 	if !lock {
 		// without locking, it can only check for dependencies broken
@@ -180,20 +180,18 @@ func CheckPkgSystemError(lock bool) error {
 	cmd.Stdout = &outBuf
 	var errBuf bytes.Buffer
 	cmd.Stderr = &errBuf
-	ff, err := system.OpenFlush(system.FlushName)
-	if err == nil {
-		defer func() {
-			ff.WriteString(fmt.Sprintf("=== CheckPkg %v end ===\n", cmd.Args))
-			ff.Close()
-		}()
+	defer func() {
+		indicator(system.JobProgressInfo{
+			OnlyLog:     true,
+			OriginalLog: fmt.Sprintf("=== CheckPkg %v end ===\n", cmd.Args),
+		})
+	}()
 
-		err = ff.SetFlushCmd(cmd)
-		if err != nil {
-			logger.Warning(err)
-		}
-	}
-	ff.WriteString(fmt.Sprintf("=== CheckPkg cmd running: %v ===\n", cmd.Args))
-	err = cmd.Run()
+	indicator(system.JobProgressInfo{
+		OnlyLog:     true,
+		OriginalLog: fmt.Sprintf("=== CheckPkg cmd running: %v ===\n", cmd.Args),
+	})
+	err := cmd.Run()
 	if err == nil {
 		return nil
 	}
@@ -251,7 +249,7 @@ func OptionToArgs(options map[string]string) []string {
 }
 
 func (p *APTSystem) DownloadPackages(jobId string, packages []string, environ map[string]string, args map[string]string) error {
-	err := CheckPkgSystemError(false)
+	err := CheckPkgSystemError(false, p.Indicator)
 	if err != nil {
 		return err
 	}
@@ -276,7 +274,7 @@ func (p *APTSystem) DownloadSource(jobId string, packages []string, environ map[
 
 func (p *APTSystem) Remove(jobId string, packages []string, environ map[string]string) error {
 	WaitDpkgLockRelease()
-	err := CheckPkgSystemError(true)
+	err := CheckPkgSystemError(true, p.Indicator)
 	if err != nil {
 		return err
 	}
@@ -289,7 +287,7 @@ func (p *APTSystem) Remove(jobId string, packages []string, environ map[string]s
 
 func (p *APTSystem) Install(jobId string, packages []string, environ map[string]string, args map[string]string) error {
 	WaitDpkgLockRelease()
-	err := CheckPkgSystemError(true)
+	err := CheckPkgSystemError(true, p.Indicator)
 	if err != nil {
 		return err
 	}
@@ -301,7 +299,7 @@ func (p *APTSystem) Install(jobId string, packages []string, environ map[string]
 
 func (p *APTSystem) DistUpgrade(jobId string, packages []string, environ map[string]string, args map[string]string) error {
 	WaitDpkgLockRelease()
-	err := CheckPkgSystemError(true)
+	err := CheckPkgSystemError(true, p.Indicator)
 	if err != nil {
 		// 无需处理依赖错误,在获取可更新包时,使用dist-upgrade -d命令获取,就会报错了
 		var e *system.JobError

src/internal/system/apt/proxy.go

@@ -9,17 +9,11 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
-	"io"
 	"os"
 	"os/exec"
 	"strings"
 	"sync"
 	"syscall"
-	"time"
-)
-
-const (
-	FlushName = "/tmp/lastore_update_detail.log"
 )
 
 type CommandSet interface {
@@ -47,8 +41,6 @@ type Command struct {
 	Stdout   bytes.Buffer
 	Stderr   bytes.Buffer
 	AtExitFn func() bool
-
-	ff *fileFlush
 }
 
 func (c *Command) String() string {
@@ -86,11 +78,6 @@ func (c *Command) SetEnv(envVarMap map[string]string) {
 
 func (c *Command) Start() error {
 	var err error
-	c.ff, err = OpenFlush(FlushName)
-	if err != nil {
-		return err
-	}
-
 	rr, ww, err := os.Pipe()
 	if err != nil {
 		return fmt.Errorf("aptCommand.Start pipe : %v", err)
@@ -102,16 +89,10 @@ func (c *Command) Start() error {
 
 	// Print command start information
 	cmdStr := strings.Join(c.Cmd.Args, " ")
-	startMsg := fmt.Sprintf("=== Job %s running: %s ===\n", c.JobId, cmdStr)
-	if c.ff != nil {
-		c.ff.SetFlushCmd(c.Cmd)
-		_, err := c.ff.WriteString(startMsg)
-		if err != nil {
-			logger.Warning("failed to write start message to log file:", err)
-		} else {
-			c.ff.Sync()
-		}
-	}
+	c.Indicator(JobProgressInfo{
+		OnlyLog:     true,
+		OriginalLog: fmt.Sprintf("=== Job %s running: %s ===\n", c.JobId, cmdStr),
+	})
 
 	c.Cmd.ExtraFiles = append(c.Cmd.ExtraFiles, ww)
 
@@ -173,26 +154,10 @@ func (c *Command) atExit() {
 		statusStr = "UNKNOWN"
 	}
 
-	cmdStr := strings.Join(c.Cmd.Args, " ")
-	endMsg := fmt.Sprintf("=== Job %s end: %s [Status: %s] ===\n", c.JobId, cmdStr, statusStr)
-	logger.Info(endMsg)
-	if c.ff != nil {
-		_, err := c.ff.WriteString(endMsg)
-		if err != nil {
-			logger.Warning("failed to write end message to log file:", err)
-		} else {
-			c.ff.Sync()
-		}
-	}
-
-	// Close log file when process exits
-	if c.ff != nil {
-		err := c.ff.Close()
-		if err != nil {
-			logger.Warning("failed to close log file:", err)
-		}
-	}
-
+	c.Indicator(JobProgressInfo{
+		OnlyLog:     true,
+		OriginalLog: fmt.Sprintf("=== Job %s end: %s [Status: %s] ===\n", c.JobId, strings.Join(c.Cmd.Args, " "), statusStr),
+	})
 	logger.Infof("job %s Stdout: %s", c.JobId, c.Stdout.Bytes())
 	logger.Infof("job %s Stderr: %s", c.JobId, c.Stderr.Bytes())
 
@@ -214,6 +179,10 @@ func (c *Command) atExit() {
 			Cancelable: false,
 		})
 	case ExitFailure:
+		c.Indicator(JobProgressInfo{
+			OnlyLog:     true,
+			OriginalLog: c.Stderr.String(),
+		})
 		err := c.ParseJobError(c.Stderr.String(), c.Stdout.String())
 		if err != nil {
 			c.Indicator(JobProgressInfo{
@@ -248,23 +217,8 @@ func (c *Command) IndicateFailed(errType JobErrorType, errDetail string, isFatal
 	logger.Warningf("IndicateFailed: type: %s, detail: %s", errType, errDetail)
 
 	// Print command end information with failed status and close log file
-	cmdStr := strings.Join(c.Cmd.Args, " ")
-	endMsg := fmt.Sprintf("=== Job %s end: %s [Status: FAILED - %s] ===\n", c.JobId, cmdStr, errType)
+	endMsg := fmt.Sprintf("=== Job %s end: %s [Status: FAILED - %s] ===\n", c.JobId, strings.Join(c.Cmd.Args, " "), errType.String())
 	logger.Info(endMsg)
-	if c.ff != nil {
-		_, err := c.ff.WriteString(endMsg)
-		if err != nil {
-			logger.Warning("failed to write end message to log file:", err)
-		} else {
-			c.ff.Sync()
-		}
-		// Close log file when indicating failed
-		err = c.ff.Close()
-		if err != nil {
-			logger.Warning("failed to close log file:", err)
-		}
-	}
-
 	progressInfo := JobProgressInfo{
 		JobId:      c.JobId,
 		Progress:   -1.0,
@@ -274,7 +228,8 @@ func (c *Command) IndicateFailed(errType JobErrorType, errDetail string, isFatal
 			ErrType:   errType,
 			ErrDetail: errDetail,
 		},
-		FatalError: isFatalErr,
+		FatalError:  isFatalErr,
+		OriginalLog: endMsg,
 	}
 	c.CmdSet.RemoveCMD(c.JobId)
 	c.Indicator(progressInfo)
@@ -323,109 +278,14 @@ func (c *Command) updateProgress() {
 		info, err := c.ParseProgressInfo(c.JobId, line)
 		if err != nil {
 			logger.Errorf("aptCommand.updateProgress %v -> %v\n", info, err)
+			c.Indicator(JobProgressInfo{
+				OnlyLog:     true,
+				OriginalLog: line,
+			})
 			continue
 		}
-
+		info.OriginalLog = line
 		c.Cancelable = info.Cancelable
 		c.Indicator(info)
 	}
 }
-
-type fileFlush struct {
-	fileName string
-	file     *os.File
-	fileMu   sync.Mutex
-}
-
-func OpenFlush(file string) (*fileFlush, error) {
-	if file == "" {
-		return nil, fmt.Errorf("file name is empty")
-	}
-
-	ff := &fileFlush{fileName: file}
-	ff.fileMu.Lock()
-	defer ff.fileMu.Unlock()
-
-	var err error
-	ff.file, err = os.OpenFile(ff.fileName, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)
-	if err != nil {
-		return nil, err
-	}
-
-	return ff, nil
-}
-
-func (ff *fileFlush) Close() error {
-	ff.fileMu.Lock()
-	defer ff.fileMu.Unlock()
-	if ff.file != nil {
-		return ff.file.Close()
-	}
-	return nil
-}
-
-func (ff *fileFlush) SetFlushCmd(cmd *exec.Cmd) error {
-	ff.fileMu.Lock()
-	defer ff.fileMu.Unlock()
-	if ff.file == nil {
-		return fmt.Errorf("file is not open")
-	}
-
-	// Handle case where cmd.Stdout/Stderr might be nil
-	if cmd.Stdout != nil {
-		cmd.Stdout = io.MultiWriter(cmd.Stdout, ff)
-	} else {
-		cmd.Stdout = ff
-	}
-
-	if cmd.Stderr != nil {
-		cmd.Stderr = io.MultiWriter(cmd.Stderr, ff)
-	} else {
-		cmd.Stderr = ff
-	}
-
-	return nil
-}
-
-func (ff *fileFlush) Write(data []byte) (int, error) {
-	ff.fileMu.Lock()
-	defer ff.fileMu.Unlock()
-	if ff.file == nil {
-		return 0, fmt.Errorf("file is not open")
-	}
-
-	// Add timestamp to each line
-	timestamp := time.Now().Format("2006-01-02 15:04:05")
-	lines := strings.Split(string(data), "\n")
-	var timestampedLines []string
-
-	for _, line := range lines {
-		if line != "" {
-			timestampedLines = append(timestampedLines, fmt.Sprintf("[%s] %s", timestamp, line))
-		} else {
-			timestampedLines = append(timestampedLines, "")
-		}
-	}
-
-	timestampedData := []byte(strings.Join(timestampedLines, "\n"))
-	_, err := ff.file.Write(timestampedData)
-	if err != nil {
-		return 0, err
-	}
-
-	// 重要：必须返回原始数据的长度，不是时间戳数据的长度
-	return len(data), nil
-}
-
-func (ff *fileFlush) WriteString(data string) (int, error) {
-	return ff.Write([]byte(data))
-}
-
-func (ff *fileFlush) Sync() error {
-	ff.fileMu.Lock()
-	defer ff.fileMu.Unlock()
-	if ff.file == nil {
-		return fmt.Errorf("file is not open")
-	}
-	return ff.file.Sync()
-}

src/internal/system/command.go

@@ -118,7 +118,6 @@ const (
 	ErrorDamagePackage           JobErrorType = "damagePackage" // 包损坏,需要删除后重新下载或者安装
 	ErrorInvalidSourcesList      JobErrorType = "invalidSourceList"
 	ErrorPlatformUnreachable     JobErrorType = "platformUnreachable"
-	ErrorOfflineCheck            JobErrorType = "offlineCheckError"
 
 	ErrorMissCoreFile  JobErrorType = "missCoreFile"
 	ErrorScript        JobErrorType = "scriptError"

src/internal/system/common.go

@@ -167,15 +167,12 @@ func parseProgressInfo(id, line string) (system.JobProgressInfo, error) {
 	}
 }
 
-func CheckSystem(typ checkType, ifOffline bool, cmdArgs []string) *system.JobError {
+func CheckSystem(typ checkType, cmdArgs []string) *system.JobError {
 	bin := "/usr/bin/deepin-system-update"
 	var args []string
 	args = append(args, "check")
 	args = append(args, typ.String())
-	if ifOffline {
-		args = append(args, "--meta-cfg")
-		args = append(args, system.DutOfflineMetaConfPath)
-	} else {
+	{
 		args = append(args, "--meta-cfg")
 		args = append(args, system.DutOnlineMetaConfPath)
 	}