Skip to content

Commit 4cd95d1

Browse files
committed
fix: harden symbol archive script
1 parent b6ba37b commit 4cd95d1

1 file changed

Lines changed: 32 additions & 7 deletions

File tree

scripts/create-native-debug-symbols.sh

Lines changed: 32 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,12 @@ build_number=$(
1616
}
1717
' app/build.gradle.kts
1818
)
19-
if [ -z "$build_number" ]; then
20-
echo "Unable to read versionCode from app/build.gradle.kts." >&2
21-
exit 1
22-
fi
19+
case "$build_number" in
20+
''|*[!0-9]*)
21+
echo "Unable to read numeric versionCode from app/build.gradle.kts." >&2
22+
exit 1
23+
;;
24+
esac
2325

2426
output="app/build/outputs/native-debug-symbols/$variant/native-debug-symbols-$build_number.zip"
2527
output_dir=$(dirname "$output")
@@ -150,15 +152,14 @@ copy_archive_symbols() {
150152
for lib_name in $required_libs; do
151153
copied=false
152154
entry="$abi/$lib_name"
153-
if unzip -qo "$archive" "$entry" -d "$tmp_dir" 2>/dev/null; then
155+
if copy_archive_entry "$archive" "$tmp_dir" "$abi" "$lib_name" "$entry"; then
154156
copied=true
155157
fi
156158

157159
if [ "$copied" = false ]; then
158160
for suffix in $archive_symbol_suffixes; do
159161
entry="$abi/$lib_name$suffix"
160-
if unzip -qo "$archive" "$entry" -d "$tmp_dir" 2>/dev/null; then
161-
mv "$tmp_dir/$entry" "$tmp_dir/$abi/$lib_name"
162+
if copy_archive_entry "$archive" "$tmp_dir" "$abi" "$lib_name" "$entry"; then
162163
copied=true
163164
break
164165
fi
@@ -168,6 +169,30 @@ copy_archive_symbols() {
168169
done
169170
}
170171

172+
copy_archive_entry() {
173+
archive="$1"
174+
tmp_dir="$2"
175+
abi="$3"
176+
lib_name="$4"
177+
entry="$5"
178+
output_lib="$tmp_dir/$abi/$lib_name"
179+
180+
if ! unzip -Z -1 "$archive" "$entry" >/dev/null 2>&1; then
181+
return 1
182+
fi
183+
184+
if [ -f "$output_lib" ]; then
185+
echo "Duplicate native debug symbol entry '$abi/$lib_name' found while reading '$archive'." >&2
186+
echo "Refusing to overwrite symbol metadata from an earlier archive." >&2
187+
exit 1
188+
fi
189+
190+
unzip -q "$archive" "$entry" -d "$tmp_dir"
191+
if [ "$entry" != "$abi/$lib_name" ]; then
192+
mv "$tmp_dir/$entry" "$output_lib"
193+
fi
194+
}
195+
171196
validate_output_zip() {
172197
archive="$1"
173198
zip -T "$archive" >/dev/null

0 commit comments

Comments
 (0)