bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

//! REL004: TOCTOU lock file race condition
//!
//! **Rule**: Detect `if [ ! -f lockfile ]; then touch lockfile` pattern
//!
//! **Why this matters**:
//! The pattern `if [ ! -f file ]; then touch file; fi` has a Time-of-Check
//! to Time-of-Use (TOCTOU) race condition. Between the check and the touch,
//! another process may create the file. Use atomic operations like `mkdir`
//! or `ln` for lock files instead.
//!
//! **Auto-fix**: None (requires architectural change)
//!
//! ## Examples
//!
//! Bad (TOCTOU race):
//! ```bash
//! if [ ! -f /tmp/lock ]; then
//!     touch /tmp/lock
//! fi
//! ```
//!
//! Good (atomic lock):
//! ```bash
//! mkdir /tmp/lock.d 2>/dev/null || { echo "locked"; exit 1; }
//! ```

use crate::linter::{Diagnostic, LintResult, Severity, Span};

/// Check for TOCTOU lock file patterns
pub fn check(source: &str) -> LintResult {
    let mut result = LintResult::new();

    let lines: Vec<&str> = source.lines().collect();

    for (line_num, line) in lines.iter().enumerate() {
        let trimmed = line.trim();

        // Skip comments
        if trimmed.starts_with('#') {
            continue;
        }

        // Pattern 1: if [ ! -f FILE ]; then ... touch FILE
        // Look for the check pattern
        let is_file_check = (trimmed.contains("[ ! -f ") || trimmed.contains("[ ! -e "))
            && (trimmed.contains("; then") || trimmed.ends_with("then"));

        if is_file_check {
            // Look in the next few lines for a touch/creation of the same file
            let check_end = line_num + 5; // Look ahead up to 5 lines
            let max_line = check_end.min(lines.len());

            for (next_line_num, next_line) in
                lines.iter().enumerate().take(max_line).skip(line_num + 1)
            {
                let next_trimmed = next_line.trim();

                if next_trimmed.contains("touch ") || next_trimmed.contains("> ") {
                    let span =
                        Span::new(line_num + 1, 1, next_line_num + 1, next_trimmed.len() + 1);

                    let diagnostic = Diagnostic::new(
                        "REL004",
                        Severity::Warning,
                        "TOCTOU race condition: check-then-create pattern for lock file. Use `mkdir` for atomic locking.",
                        span,
                    );

                    result.add(diagnostic);
                    break;
                }

                // Stop at fi/else/done
                if next_trimmed == "fi" || next_trimmed == "else" || next_trimmed == "done" {
                    break;
                }
            }
        }
    }

    result
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_rel004_detects_toctou_pattern() {
        let script = "if [ ! -f /tmp/lock ]; then\n    touch /tmp/lock\nfi";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 1);
        assert_eq!(result.diagnostics[0].code, "REL004");
        assert_eq!(result.diagnostics[0].severity, Severity::Warning);
    }

    #[test]
    fn test_rel004_no_flag_without_touch() {
        let script = "if [ ! -f /tmp/lock ]; then\n    echo locked\nfi";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_rel004_no_false_positive_comment() {
        let script = "# if [ ! -f /tmp/lock ]; then";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_rel004_no_fix_provided() {
        let script = "if [ ! -f /tmp/lock ]; then\n    touch /tmp/lock\nfi";
        let result = check(script);
        assert!(result.diagnostics[0].fix.is_none());
    }

    #[test]
    fn test_rel004_detects_with_e_flag() {
        let script = "if [ ! -e /tmp/lock ]; then\n    touch /tmp/lock\nfi";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_rel004_no_flag_mkdir_pattern() {
        // mkdir is atomic, so not a TOCTOU
        let script = "mkdir /tmp/lock.d 2>/dev/null || exit 1";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }
}