VercodeOperation: only allow simple math expresssions and %c

fdroidserver/checkupdates.py

@@ -429,6 +429,9 @@ def checkupdates_app(app):
         msg = 'Invalid update check method'
 
     if version and vercode and app.VercodeOperation:
+        if not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+            raise MetaDataException(_('Invalid VercodeOperation: {field}')
+                                    .format(field=app.VercodeOperation))
         oldvercode = str(int(vercode))
         op = app.VercodeOperation.replace("%c", oldvercode)
         vercode = str(eval(op))

fdroidserver/common.py

@@ -61,6 +61,8 @@ from .asynchronousfilereader import AsynchronousFileReader
 # has to be manually set in test_aapt_version()
 MINIMUM_AAPT_VERSION = '26.0.0'
 
+VERCODE_OPERATION_RE = re.compile(r'^([ 0-9/*+-]|%c)+$')
+
 # A signature block file with a .DSA, .RSA, or .EC extension
 CERT_PATH_REGEX = re.compile(r'^META-INF/.*\.(DSA|EC|RSA)$')
 APK_NAME_REGEX = re.compile(r'^([a-zA-Z][\w.]*)_(-?[0-9]+)_?([0-9a-f]{7})?\.apk')

fdroidserver/lint.py

@@ -222,6 +222,11 @@ def check_update_check_data_url(app):
                     yield _('UpdateCheckData must use HTTPS URL: {url}').format(url=url)
 
 
+def check_vercode_operation(app):
+    if app.VercodeOperation and not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+        yield _('Invalid VercodeOperation: {field}').format(field=app.VercodeOperation)
+
+
 def check_ucm_tags(app):
     lastbuild = get_lastbuild(app.builds)
     if (lastbuild is not None
@@ -529,6 +534,7 @@ def main():
         app_check_funcs = [
             check_regexes,
             check_update_check_data_url,
+            check_vercode_operation,
             check_ucm_tags,
             check_char_limits,
             check_old_links,