Added a safeguard for invalid firewall rules

Firewall rule cannot be missing value in declaration (e.g. 'dsthost=' is not a valid rule). fixes QubesOS/qubes-issues#5772
2020-05-15 16:01:18 +02:00 · 2020-05-15 16:01:18 +02:00 · d2f4a4533a
commit d2f4a4533a
parent 83b1fc6c58
2 changed files with 14 additions and 0 deletions
--- a/qubesadmin/tests/tools/qvm_firewall.py
+++ b/qubesadmin/tests/tools/qvm_firewall.py
@ -96,6 +96,17 @@ class TC_00_RuleAction(qubesadmin.tests.QubesTestCase):
                qubesadmin.firewall.Rule(
                    None, action='accept', dsthost='127.0.0.1/32'))

+    def test_007_none_errors(self):
+        ns = argparse.Namespace()
+        with self.assertRaises(argparse.ArgumentError):
+            self.action(None, ns, ['dsthost=', 'action=accept'])
+        with self.assertRaises(argparse.ArgumentError):
+            self.action(None, ns, ['dsthost=127.0.0.1', 'dstports=',
+                                   'action=accept'])
+        with self.assertRaises(argparse.ArgumentError):
+            self.action(None, ns, ['dsthost=127.0.0.1', 'icmptype=',
+                                   'action=accept'])
+

 class TC_10_qvm_firewall(qubesadmin.tests.QubesTestCase):
    def setUp(self):
--- a/qubesadmin/tools/qvm_firewall.py
+++ b/qubesadmin/tools/qvm_firewall.py
@ -48,6 +48,9 @@ class RuleAction(argparse.Action):
        allowed_opts = assumed_order + ['specialtarget', 'comment', 'expire']
        kwargs = {}
        for opt in values:
+            if opt[-1] == '=':
+                raise argparse.ArgumentError(
+                    None, 'invalid rule description: {}'.format(opt))
            opt_elements = opt.split('=')
            if len(opt_elements) == 2:
                key, value = opt_elements