From 6dfda90a9a9f503eb38207cf1451ef3557608ddd Mon Sep 17 00:00:00 2001
From: Hisham Muhammad <hisham@gobolinux.org>
Date: Mon, 24 Jun 2013 19:46:41 -0300
Subject: Add two new configuration options, 'hooks_enabled' and
 'accepted_build_types', to deal with some security concerns raised in #35.

---
 src/luarocks/build.lua | 4 ++++
 src/luarocks/cfg.lua   | 1 +
 src/luarocks/repos.lua | 5 +++++
 src/luarocks/util.lua  | 9 +++++++++
 4 files changed, 19 insertions(+)

(limited to 'src')

diff --git a/src/luarocks/build.lua b/src/luarocks/build.lua
index 27afe18d..71b3cb89 100644
--- a/src/luarocks/build.lua
+++ b/src/luarocks/build.lua
@@ -197,6 +197,10 @@ function build_rockspec(rockspec_file, need_to_fetch, minimal_mode, deps_mode)
          build.type = "builtin"
       end
 
+      if cfg.accepted_build_types and util.array_contains(cfg.accepted_build_types, build.type) then
+         return nil, "This rockspec uses the '"..build.type.."' build type, which is blocked by the 'accepted_build_types' setting in your LuaRocks configuration."
+      end
+
       local build_type
       ok, build_type = pcall(require, "luarocks.build." .. build.type)
       if not ok or not type(build_type) == "table" then
diff --git a/src/luarocks/cfg.lua b/src/luarocks/cfg.lua
index a4626e10..259293c3 100644
--- a/src/luarocks/cfg.lua
+++ b/src/luarocks/cfg.lua
@@ -182,6 +182,7 @@ local defaults = {
    use_extensions = false,
    accept_unknown_fields = false,
    fs_use_modules = true,
+   hooks_enabled = true,
    deps_mode = "one",
 
    lua_modules_path = "/share/lua/"..lua_version,
diff --git a/src/luarocks/repos.lua b/src/luarocks/repos.lua
index dc1b63c8..5e87afe3 100644
--- a/src/luarocks/repos.lua
+++ b/src/luarocks/repos.lua
@@ -131,6 +131,11 @@ function run_hook(rockspec, hook_name)
    if not hooks then
       return true
    end
+   
+   if cfg.hooks_enabled == false then
+      return nil, "This rockspec contains hooks, which are blocked by the 'hooks_enabled' setting in your LuaRocks configuration."
+   end
+   
    if not hooks.substituted_variables then
       util.variable_substitutions(hooks, rockspec.variables)
       hooks.substituted_variables = true
diff --git a/src/luarocks/util.lua b/src/luarocks/util.lua
index c5095675..b2428f62 100644
--- a/src/luarocks/util.lua
+++ b/src/luarocks/util.lua
@@ -461,3 +461,12 @@ function show_table(t, name, indent)
    addtocart(t, name, indent)
    return cart .. autoref
 end
+
+function array_contains(tbl, value)
+   for _, v in ipairs(tbl) do
+      if v == value then
+         return true
+      end
+   end
+   return false
+end
-- 
cgit v1.2.3-55-g6feb