From fd5ca3f09e3aea4ac6c106f631728a1f06711892 Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Wed, 13 Mar 2024 22:45:39 +0100 Subject: [PATCH 1/8] use `$@` over `$*`. SC2048 I agree to license my contributions to each file under the terms given at the top of each file I changed. --- mk/cargo.sh | 2 +- mk/check-symbol-prefixes.sh | 2 +- mk/install-build-tools.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/mk/cargo.sh b/mk/cargo.sh index 07b84a54ad..807e2681ed 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -43,7 +43,7 @@ if [ -n "${ANDROID_NDK_ROOT-}" ]; then android_tools=${ANDROID_NDK_ROOT}/toolchains/llvm/prebuilt/linux-x86_64/bin fi -for arg in $*; do +for arg in "$@"; do case $arg in --target=*) target=${arg#*=} diff --git a/mk/check-symbol-prefixes.sh b/mk/check-symbol-prefixes.sh index 879821bac1..ff1cce15d8 100755 --- a/mk/check-symbol-prefixes.sh +++ b/mk/check-symbol-prefixes.sh @@ -17,7 +17,7 @@ set -eux -o pipefail IFS=$'\n\t' -for arg in $*; do +for arg in "$@"; do case $arg in --target=*) target=${arg#*=} diff --git a/mk/install-build-tools.sh b/mk/install-build-tools.sh index ee26037aee..5aedfd0b90 100755 --- a/mk/install-build-tools.sh +++ b/mk/install-build-tools.sh @@ -18,7 +18,7 @@ set -eux -o pipefail IFS=$'\n\t' toolchain=stable -for arg in $*; do +for arg in "$@"; do case $arg in --target=*) target=${arg#*=} From a1e7a302fb8a7ce89f3f64b5a9c58aa423851b88 Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Wed, 13 Mar 2024 22:51:14 +0100 Subject: [PATCH 2/8] prevent globbing and word splitting. SC2086 I agree to license my contributions to each file under the terms given at the top of each file I changed. --- mk/cargo.sh | 12 ++++++------ mk/check-symbol-prefixes.sh | 4 ++-- mk/clippy.sh | 2 +- mk/install-build-tools.sh | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/mk/cargo.sh b/mk/cargo.sh index 807e2681ed..8f8d07b277 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -215,7 +215,7 @@ if [ -n "${RING_COVERAGE-}" ]; then # something similar but different. # export LLVM_PROFILE_FILE="$coverage_dir/%m.profraw" - target_upper=$(echo ${target_lower} | tr '[:lower:]' '[:upper:]') + target_upper=$(echo "${target_lower}" | tr '[:lower:]' '[:upper:]') case "$OSTYPE" in linux*) @@ -251,16 +251,16 @@ cargo "$@" if [ -n "${RING_COVERAGE-}" ]; then # Keep in sync with check-symbol-prefixes.sh. # Use the host target-libdir, not the target target-libdir. - llvm_root="$(rustc +${toolchain} --print target-libdir)/../bin" + llvm_root="$(rustc +"${toolchain}" --print target-libdir)/../bin" while read executable; do basename=$(basename "$executable") - ${llvm_root}/llvm-profdata merge -sparse "$coverage_dir/$basename.profraw" -o "$coverage_dir/$basename.profdata" + "${llvm_root}"/llvm-profdata merge -sparse "$coverage_dir/$basename.profraw" -o "$coverage_dir/$basename.profdata" mkdir -p "$coverage_dir"/reports - ${llvm_root}/llvm-cov export \ - --instr-profile "$coverage_dir"/$basename.profdata \ + "${llvm_root}"/llvm-cov export \ + --instr-profile "$coverage_dir/$basename.profdata" \ --format lcov \ "$executable" \ - > "$coverage_dir"/reports/coverage-$basename.txt + > "$coverage_dir/reports/coverage-$basename.txt" done < "$RING_BUILD_EXECUTABLE_LIST" fi diff --git a/mk/check-symbol-prefixes.sh b/mk/check-symbol-prefixes.sh index ff1cce15d8..79a8f332b2 100755 --- a/mk/check-symbol-prefixes.sh +++ b/mk/check-symbol-prefixes.sh @@ -32,7 +32,7 @@ done # Keep in sync with cargo.sh. # Use the host target-libdir, not the target target-libdir. -llvm_root="$(rustc +${toolchain} --print target-libdir)/../bin" +llvm_root="$(rustc +"${toolchain}" --print target-libdir)/../bin" nm_exe="${llvm_root}/llvm-nm" @@ -44,7 +44,7 @@ nm_exe="${llvm_root}/llvm-nm" # # This is very liberal in filtering out symbols that "look like" # Rust-compiler-generated symbols. -find target/$target -type f -name libring-*.rlib | while read -r infile; do +find "target/$target" -type f -name libring-*.rlib | while read -r infile; do bad=$($nm_exe --defined-only --extern-only --print-file-name "$infile" \ | ( grep -v -E " . _?(__imp__ZN4ring|ring_core_|__rustc|_ZN|DW.ref.rust_eh_personality)" || [[ $? == 1 ]] )) if [ ! -z "${bad-}" ]; then diff --git a/mk/clippy.sh b/mk/clippy.sh index 1187464384..e0ca48946f 100755 --- a/mk/clippy.sh +++ b/mk/clippy.sh @@ -24,4 +24,4 @@ cargo clippy \ --deny missing_docs \ --deny unused_qualifications \ --deny warnings \ - $NULL + "$NULL" diff --git a/mk/install-build-tools.sh b/mk/install-build-tools.sh index 5aedfd0b90..fd235826f1 100755 --- a/mk/install-build-tools.sh +++ b/mk/install-build-tools.sh @@ -62,7 +62,7 @@ case ${target-} in # XXX: Older Rust toolchain versions link with `-lgcc` instead of `-lunwind`; # see https://github.com/rust-lang/rust/pull/85806. - find -L ${ANDROID_NDK_ROOT:-${ANDROID_HOME}/ndk/$ndk_version} -name libunwind.a \ + find -L "${ANDROID_NDK_ROOT:-${ANDROID_HOME}/ndk/$ndk_version}" -name libunwind.a \ -execdir sh -c 'echo "INPUT(-lunwind)" > libgcc.a' \; ;; esac @@ -198,10 +198,10 @@ linux*) ;; esac -rustup toolchain install --no-self-update --profile=minimal ${toolchain} +rustup toolchain install --no-self-update --profile=minimal "${toolchain}" if [ -n "${target-}" ]; then - rustup target add --toolchain=${toolchain} ${target} + rustup target add --toolchain="${toolchain}" "${target}" fi if [ -n "${RING_COVERAGE-}" ]; then - rustup toolchain install --profile=minimal ${toolchain} --component llvm-tools-preview + rustup toolchain install --profile=minimal "${toolchain}" --component llvm-tools-preview fi From 99d56aa809e0f35e5a9880841d89c5110da1ed19 Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Wed, 13 Mar 2024 22:52:08 +0100 Subject: [PATCH 3/8] read without -r will mangle backslashes. SC2162 I agree to license my contributions to each file under the terms given at the top of each file I changed. --- mk/cargo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mk/cargo.sh b/mk/cargo.sh index 8f8d07b277..7fa07d695d 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -253,7 +253,7 @@ if [ -n "${RING_COVERAGE-}" ]; then # Use the host target-libdir, not the target target-libdir. llvm_root="$(rustc +"${toolchain}" --print target-libdir)/../bin" - while read executable; do + while read -r executable; do basename=$(basename "$executable") "${llvm_root}"/llvm-profdata merge -sparse "$coverage_dir/$basename.profraw" -o "$coverage_dir/$basename.profdata" mkdir -p "$coverage_dir"/reports From bd0134225792ed366f778b79bc1e6b096459138b Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Wed, 13 Mar 2024 22:53:34 +0100 Subject: [PATCH 4/8] simplify by using `-n`. SC2236 I agree to license my contributions to each file under the terms given at the top of each file I changed. --- mk/check-symbol-prefixes.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mk/check-symbol-prefixes.sh b/mk/check-symbol-prefixes.sh index 79a8f332b2..247dec9930 100755 --- a/mk/check-symbol-prefixes.sh +++ b/mk/check-symbol-prefixes.sh @@ -47,7 +47,7 @@ nm_exe="${llvm_root}/llvm-nm" find "target/$target" -type f -name libring-*.rlib | while read -r infile; do bad=$($nm_exe --defined-only --extern-only --print-file-name "$infile" \ | ( grep -v -E " . _?(__imp__ZN4ring|ring_core_|__rustc|_ZN|DW.ref.rust_eh_personality)" || [[ $? == 1 ]] )) - if [ ! -z "${bad-}" ]; then + if [ -n "${bad-}" ]; then echo "$bad" exit 1 fi From 739aa4887ec2d93ea87fe8acad1863675da61d03 Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Wed, 13 Mar 2024 22:56:38 +0100 Subject: [PATCH 5/8] prevent shell from interpreting the -name value. SC2061 I agree to license my contributions to each file under the terms given at the top of each file I changed. --- mk/check-symbol-prefixes.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mk/check-symbol-prefixes.sh b/mk/check-symbol-prefixes.sh index 247dec9930..60b079a2dc 100755 --- a/mk/check-symbol-prefixes.sh +++ b/mk/check-symbol-prefixes.sh @@ -44,7 +44,7 @@ nm_exe="${llvm_root}/llvm-nm" # # This is very liberal in filtering out symbols that "look like" # Rust-compiler-generated symbols. -find "target/$target" -type f -name libring-*.rlib | while read -r infile; do +find "target/$target" -type f -name "libring-*.rlib" | while read -r infile; do bad=$($nm_exe --defined-only --extern-only --print-file-name "$infile" \ | ( grep -v -E " . _?(__imp__ZN4ring|ring_core_|__rustc|_ZN|DW.ref.rust_eh_personality)" || [[ $? == 1 ]] )) if [ -n "${bad-}" ]; then From 896ea2f0183eec4278f5c37f6a9f82df1ca93674 Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Wed, 13 Mar 2024 22:58:15 +0100 Subject: [PATCH 6/8] prevent globbing and word splitting. SC2086 I agree to license my contributions to each file under the terms given at the top of each file I changed. --- bench/data/rsa-generate.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/bench/data/rsa-generate.sh b/bench/data/rsa-generate.sh index cf07722fc8..1e9e29d5a9 100755 --- a/bench/data/rsa-generate.sh +++ b/bench/data/rsa-generate.sh @@ -34,20 +34,20 @@ rm rsa-2048-65537.p8 m=(2048 3072 4096 8192) for i in "${m[@]}" do - echo $i + echo "$i" openssl genpkey -algorithm RSA \ -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3 | \ - openssl pkcs8 -topk8 -nocrypt -outform der > rsa-$i-3.p8 + openssl pkcs8 -topk8 -nocrypt -outform der > "rsa-$i-3.p8" openssl pkey -pubout -inform der -outform der \ - -in rsa-$i-3.p8 | \ + -in "rsa-$i-3.p8" | \ openssl rsa -pubin -RSAPublicKey_out -inform DER -outform DER \ - -out rsa-$i-3-public-key.der + -out "rsa-$i-3-public-key.der" - openssl dgst -sha256 -sign rsa-$i-3.p8 -out rsa-$i-3-signature.bin empty_message + openssl dgst -sha256 -sign "rsa-$i-3.p8" -out "rsa-$i-3-signature.bin" empty_message - rm rsa-$i-3.p8 + rm "rsa-$i-3.p8" done rm empty_message From 9a18e6fdb9312615608f6be0f366f25e8b4367ec Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Tue, 14 May 2024 07:26:05 +0200 Subject: [PATCH 7/8] fixup! prevent globbing and word splitting. SC2086 --- mk/cargo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mk/cargo.sh b/mk/cargo.sh index 7fa07d695d..d7a0d50763 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -251,7 +251,7 @@ cargo "$@" if [ -n "${RING_COVERAGE-}" ]; then # Keep in sync with check-symbol-prefixes.sh. # Use the host target-libdir, not the target target-libdir. - llvm_root="$(rustc +"${toolchain}" --print target-libdir)/../bin" + llvm_root=$(rustc +"${toolchain}" --print target-libdir)/../bin while read -r executable; do basename=$(basename "$executable") From 31dc1e6eb4badf6ff3f09310d729d3784fc60f39 Mon Sep 17 00:00:00 2001 From: Reuben Miller Date: Tue, 14 May 2024 07:41:29 +0200 Subject: [PATCH 8/8] fixup! prevent globbing and word splitting. SC2086 --- mk/cargo.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mk/cargo.sh b/mk/cargo.sh index d7a0d50763..00726a590b 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -255,9 +255,9 @@ if [ -n "${RING_COVERAGE-}" ]; then while read -r executable; do basename=$(basename "$executable") - "${llvm_root}"/llvm-profdata merge -sparse "$coverage_dir/$basename.profraw" -o "$coverage_dir/$basename.profdata" + "${llvm_root}/llvm-profdata" merge -sparse "$coverage_dir/$basename.profraw" -o "$coverage_dir/$basename.profdata" mkdir -p "$coverage_dir"/reports - "${llvm_root}"/llvm-cov export \ + "${llvm_root}/llvm-cov" export \ --instr-profile "$coverage_dir/$basename.profdata" \ --format lcov \ "$executable" \