Fix #1708 - Don't modify linters or register fixers in the sandbox

3 files changed, 57 insertions, 1 deletions

diff --git a/autoload/ale/fix/registry.vim b/autoload/ale/fix/registry.vim
index 539234c0..e148ecd6 100644
--- a/autoload/ale/fix/registry.vim
+++ b/autoload/ale/fix/registry.vim
@@ -242,6 +242,9 @@ endfunction
 " Add a function for fixing problems to the registry.
 " (name, func, filetypes, desc, aliases)
 function! ale#fix#registry#Add(name, func, filetypes, desc, ...) abort
+    " This command will throw from the sandbox.
+    let &equalprg=&equalprg
+
     if type(a:name) != type('')
         throw '''name'' must be a String'
     endif
diff --git a/autoload/ale/linter.vim b/autoload/ale/linter.vim
index 22e3c5dc..aa602f7e 100644
--- a/autoload/ale/linter.vim
+++ b/autoload/ale/linter.vim
@@ -50,6 +50,9 @@ endfunction
 " This is only for tests.
 " Do not call this function.
 function! ale#linter#GetLintersLoaded() abort
+    " This command will throw from the sandbox.
+    let &equalprg=&equalprg
+
     return s:linters
 endfunction
 
@@ -289,6 +292,9 @@ function! ale#linter#PreProcess(filetype, linter) abort
 endfunction
 
 function! ale#linter#Define(filetype, linter) abort
+    " This command will throw from the sandbox.
+    let &equalprg=&equalprg
+
     if !has_key(s:linters, a:filetype)
         let s:linters[a:filetype] = []
     endif
@@ -304,6 +310,12 @@ function! ale#linter#PreventLoading(filetype) abort
 endfunction
 
 function! ale#linter#GetAll(filetypes) abort
+    " Don't return linters in the sandbox.
+    " Otherwise a sandboxed script could modify them.
+    if ale#util#InSandbox()
+        return []
+    endif
+
     let l:combined_linters = []
 
     for l:filetype in a:filetypes
diff --git a/test/test_sandbox_execution.vader b/test/test_sandbox_execution.vader
index 7f4941fd..4dbcb0db 100644
--- a/test/test_sandbox_execution.vader
+++ b/test/test_sandbox_execution.vader
@@ -24,10 +24,13 @@ Before:
   let g:ale_buffer_info = {}
 
 After:
+  unlet! b:in_sandbox
+  unlet! b:result
+
   delfunction TestCallback
   call ale#linter#Reset()
   let g:ale_buffer_info = {}
-  unlet! b:in_sandbox
+
 
 Given foobar (Some imaginary filetype):
   foo
@@ -61,3 +64,41 @@ Execute(ALE shouldn't blow up if file cleanup happens in a sandbox):
 
   AssertEqual ['/tmp/foo'], g:ale_buffer_info[3].temporary_file_list
   AssertEqual ['/tmp/bar'], g:ale_buffer_info[3].temporary_directory_list
+
+Execute(You shouldn't be able to define linters from the sandbox):
+  call ale#linter#Reset()
+  call ale#linter#PreventLoading('testft')
+
+  AssertThrows sandbox call ale#linter#Define('testft', {
+  \ 'name': 'testlinter',
+  \ 'output_stream': 'stdout',
+  \ 'executable': 'testlinter',
+  \ 'command': 'testlinter',
+  \ 'callback': 'testCB',
+  \})
+  AssertEqual 'Vim(let):E48: Not allowed in sandbox', g:vader_exception
+  AssertEqual [], ale#linter#GetAll(['testft'])
+
+Execute(You shouldn't be able to register fixers from the sandbox):
+  call ale#fix#registry#Clear()
+  AssertThrows sandbox call ale#fix#registry#Add('prettier', '', ['javascript'], 'prettier')
+  AssertEqual 'Vim(let):E48: Not allowed in sandbox', g:vader_exception
+  AssertEqual [], ale#fix#registry#CompleteFixers('', 'ALEFix ', 7)
+
+Execute(You shouldn't be able to get linters from the sandbox, to prevent tampering):
+  AssertThrows sandbox call ale#linter#GetLintersLoaded()
+  AssertEqual 'Vim(let):E48: Not allowed in sandbox', g:vader_exception
+
+  call ale#linter#Reset()
+
+  sandbox let b:result = ale#linter#GetAll(['testft'])
+
+  AssertEqual 0, len(b:result)
+
+  let b:result = ale#linter#GetAll(['testft'])
+
+  AssertEqual 1, len(b:result)
+
+  sandbox let b:result = ale#linter#GetAll(['testft'])
+
+  AssertEqual 0, len(b:result)