Allow building without the exec() supported ...

.. to satisfy restricted environment or fuzzers We are encountering weird issues in the oss-fuzz that the file disappears during coverage build so I assume some corpus sneaked in, that contains some commands that end up being executed as part of the coverage run causing it randomly failing. The solution I propose is to build fuzzers without ability to call arbitrary commands on the filesystem (such as `rm -rf /`) as this is not the point the fuzzers should be testing. This is controlled by the WITH_EXEC CMake option (enabled by default). https://github.com/google/oss-fuzz/issues/10136 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
2026-02-04 12:20:42 +09:00 · 2024-07-04 18:28:43 +02:00
parent 2fe9ed1764
commit bed4438695
12 changed files with 81 additions and 34 deletions
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -23,6 +23,7 @@ option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
 option(WITH_ABI_BREAK "Allow ABI break" OFF)
 option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
 option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
+option(WITH_EXEC "Enable libssh to execute arbitrary commands from configuration files or options (match exec, proxy commands and OpenSSH-based proxy-jumps)." ON)
 option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
 option(PICKY_DEVELOPER "Build with picky developer flags" OFF)

@@ -60,3 +61,7 @@ endif (NOT GLOBAL_CLIENT_CONFIG)
 if (FUZZ_TESTING)
  set(WITH_INSECURE_NONE ON)
 endif (FUZZ_TESTING)
+
+if (WIN32)
+    set(WITH_EXEC 0)
+endif(WIN32)