Misc improvements

[alexAubin]

• [x] Cache licence file to avoid re-fetching it everytime which causes a 1-2sec delay
• [x] Tweaks to try to get rid of some annoying false-negative warnings (about "sudo" or "ssowatconf")
• [x] Be more aggressive about the use of yunohost app setting,initdb,checkport,checkurl and report them as error. From what I tested so far, should not affect any app except maybe rss-bridge but there's a PR on the way.
• [x] Also check _common.sh if it exists
• [x] Remove old test about ynh_die/exit being done after modifications ... That comes from an old era of app packaging, not relevant anymore I believe
• [x] Check and add a warning when a helper defined in _common.sh (or other files?) is now official
• [x] Check version requirement for helpers ...
• [x] Integrate that other PR about nginx path traversal detection ...
• [ ] ???
• [X] Try to produce a summary of numbers of errors/warnings for all working apps from the catalog

App	Level	Results	Nginx path traversal
wordpress	8	:green_heart:
wallabag2	8	:green_heart:
synapse	8	:green_heart:
strut	8	:green_heart:
piwigo	8	1 :warning:
opensondage	8	:green_heart:
leed	8	2 :warning:
gitlab	8	1 :warning:
etherpad_mypads	8	2 :warning:
dokuwiki	8	:green_heart:
z-push	7	:green_heart:	:red_circle: (out of CI's scope, TBC)
zerobin	7	:green_heart:
zap	7	8 :warning:	:red_circle: (maybe false negative, TBC)
zabbix	7	6 :warning:
writefreely	7	1 :warning:
wikijs	7	:green_heart:
wemawema	7	10 :warning:	:red_circle: (confirmed on CI)
wekan	7	1 :warning:
weblate	7	1 :warning:
vpnclient	7	3 :warning:
unattended_upgrades	7	13 :warning:
ulogger	7	5 :warning:	:red_circle: (confirmed on CI)
tyto	7	4 :warning:	:red_circle: (confirmed on CI)
ttrss	7	:green_heart:
transmission	7	1 :warning:	:red_circle: (out of CI's scope, TBC)
thelounge	7	:green_heart:
syncthing	7	:green_heart:
spip	7	1 :warning:
spftoolbox	7	3 :warning:	:red_circle: (confirmed on CI)
sogo	7	:green_heart:	:red_circle: (out of CI's scope, TBC)
snipeit	7	2 :warning:	:red_circle: (out of CI's scope, TBC)
shellinabox	7	2 :warning:
searx	7	:green_heart:
seafile	7	:green_heart:
rss-bridge	7	9 :warning: 1 :red_circle:
roundcube	7	:green_heart:
riot	7	:green_heart:
restic	7	7 :warning:
redirect	7	3 :warning:
rainloop	7	:green_heart:
radicale	7	11 :warning:
prettynoemiecms	7	:green_heart:
portainer	7	4 :warning: 1 :red_circle:
pluxml	7	2 :warning:
plume	7	:green_heart:
pleroma	7	3 :warning:
pixelfed	7	1 :warning:
pilea	7	5 :warning:
pihole	7	4 :warning:
phpmyadmin	7	:green_heart:
phpldapadmin	7	:green_heart:
pgadmin	7	:green_heart:
peertube	7	3 :warning:
owntracks	7	4 :warning:	:red_circle: (maybe false negative, TBC)
osticket	7	:green_heart:
onlyoffice	7	2 :warning:
nodered	7	2 :warning:
nextcloud	7	3 :warning:
netdata	7	4 :warning:
my_webapp	7	3 :warning:
mumbleserver	7	5 :warning:
multi_webapp	7	11 :warning:
monitorix	7	:green_heart:
mobilizon	7	1 :warning:
minetest	7	4 :warning:
mattermost	7	1 :warning:
matomo	7	1 :warning:
mastodon	7	4 :warning:
mailman	7	5 :warning:	:red_circle: (out of CI's scope, TBC)
lutim	7	1 :warning:
lufi	7	8 :warning:
lstu	7	10 :warning:
limesurvey	7	7 :warning:
libreto	7	4 :warning:
libreerp	7	9 :warning:
kresus	7	1 :warning:
keeweb	7	22 :warning:
kanboard	7	:green_heart:
jupyterlab	7	:green_heart:
jitsi	7	:green_heart:
jirafeau	7	:green_heart:
hubzilla	7	7 :warning:	:red_circle: (maybe false negative, TBC)
horde	7	1 :warning:
hextris	7	:green_heart:
halcyon	7	4 :warning:
grav	7	1 :warning:
gotify	7	2 :warning:
gogs	7	3 :warning:
glowingbear	7	8 :warning:	:red_circle: (confirmed on CI)
gitlab-runner	7	1 :warning:
gitea	7	2 :warning:
garradin	7	7 :warning:	:red_circle: (out of CI's scope, TBC)
funkwhale	7	3 :warning:
friendica	7	5 :warning:	:red_circle: (maybe false negative, TBC)
freshrss	7	:green_heart:
fluxbb	7	1 :warning:
ffsync	7	1 :warning:
fallback	7	3 :warning:
drupal7	7	1 :warning:
drupal	7	1 :warning:
dotclear2	7	2 :warning:
dolibarr	7	:green_heart:
distbin	7	1 :warning:
discourse	7	26 :warning:	:red_circle: (out of CI's scope, TBC)
concrete5	7	1 :warning:
civicrm_drupal7	7	1 :warning:
cheky	7	:green_heart:
calibreweb	7	11 :warning:
bozon	7	:green_heart:
borg	7	10 :warning:
blogotext	7	:green_heart:
bitwarden	7	:green_heart:
archivist	7	2 :warning:
anfora	7	1 :warning:	:red_circle: (out of CI's scope, TBC)
anarchism	7	2 :warning:
ampache	7	:green_heart:
airsonic	7	:green_heart:
tvheadend	5	1 :warning:
qr	5	1 :warning:
mytinytodo	5	29 :warning:	:red_circle: (confirmed on CI)
phpsysinfo	4	:green_heart:
minidlna	4	14 :warning: 1 :red_circle:
minchat	4	23 :warning: 3 :red_circle:	:red_circle:
jappix	4	13 :warning: 4 :red_circle:	:red_circle:
hotspot	4	2 :warning: 1 :red_circle:
grafana	4	12 :warning: 4 :red_circle:
framagames	4	18 :warning: 7 :red_circle:	:red_circle:
collabora	4	1 :red_circle:
cesium	4	9 :warning: 7 :red_circle:	:red_circle:
borgserver	4	8 :warning:
biboumi	4	9 :warning: 1 :red_circle:
webmin	3	12 :warning: 4 :red_circle:
ssh_chroot_dir	3	13 :warning: 2 :red_circle:
shsd	3	7 :warning:
movim	3	6 :warning: 2 :red_circle:
monit	3	15 :warning: 12 :red_circle:
htmltool	3	21 :warning: 13 :red_circle:	:red_circle:
emailpoubelle	3	4 :warning:
cubiks-2048	3	22 :warning: 12 :red_circle:	:red_circle:
243	3	21 :warning: 11 :red_circle:	:red_circle:
20euros	3	20 :warning: 12 :red_circle:	:red_circle:
zeronet	2	11 :warning: 3 :red_circle:
yourls	2	10 :warning: 2 :red_circle:	:red_circle:
tagspaces	2	21 :warning: 13 :red_circle:	:red_circle:
svgedit	2	21 :warning:
shaarli	2	4 :warning:
nodebb	2	29 :warning: 1 :red_circle:
monica	2	32 :warning:	:red_circle:
laverna	2	9 :warning: 7 :red_circle:	:red_circle:
h5ai	2	3 :red_circle:
framaforms	2	1 :warning:
cowyo	2	1 :warning:
couchpotato	2	17 :warning: 6 :red_circle:
cachet	2	7 :warning:	:red_circle:
torclient	1	21 :warning: 11 :red_circle:	:red_circle:
piratebox	1	28 :warning: 11 :red_circle:	:red_circle:
my-mind	1	2 :warning:
mantis	1	10 :warning: 3 :red_circle:
jeedom	1	11 :warning:	:red_circle:
cryptpad	1	7 :warning:
armadietto	1	2 :warning:
alltube	1	:green_heart:
adminer	1	6 :warning: 3 :red_circle:	:red_circle:
timeoff	0	19 :warning:
reel2bits	0	2 :warning:	:red_circle:
openproject	0	2 :warning: 1 :red_circle:
mediawiki	0	:green_heart:
ihatemoney	0	22 :warning: 2 :red_circle:
baikal	0	:green_heart:
agendav	0	:green_heart:
ztncui	-1	1 :warning: 1 :red_circle:
zerotier	-1	1 :warning:
transpay	-1	4 :warning: 4 :red_circle:
scrumblr	-1	43 :warning: 2 :red_circle:
pelican	-1	8 :warning: 1 :red_circle:	:red_circle:
noalyss	-1	3 :warning: 1 :red_circle:
modernpaste	-1	1 :warning:	:red_circle:
mailman3	-1	1 :warning: 2 :red_circle:	:red_circle:
kimai2	-1	9 :warning: 2 :red_circle:	:red_circle:
jenkins	-1	4 :warning:
foodsoft	-1	2 :red_circle:
flask	-1	14 :warning: 6 :red_circle:	:red_circle:
flarum	-1	1 :warning:	:red_circle:
duniter	-1	4 :warning: 7 :red_circle:
domoticz	-1	5 :warning:
django_app	-1	12 :warning: 2 :red_circle:	:red_circle:
diasporadocker	-1	5 :warning: 1 :red_circle:
diagramsnet	-1	:green_heart:
collaboradocker	-1	4 :warning: 1 :red_circle:
codimd	-1	3 :warning: 3 :red_circle:
caliopen	-1	1 :warning:

[alexAubin]

Here are some results of the new package linter (c.f. original post)

For now I split the nginx path traversal issue detection in a separate column (even though the current code report it as an error)

So: if we do not report nginx traversal issue as error for now only rss-bridge and portainer will drop to level 4 (though there's a pending PR for rss-bridge if I remember correctly)

However, we should consider reporting this nginx path traversal issue as an actual issue considering many apps are affected and not getting fixed ...

Note that the current CI can miss some of them for example, for transmission/ ... because the nginx issue found is about transmission/downloads, but the CI only test the root of the app ...

Any thoughts on this specific item, and the PR in general, @YunoHost/apps folks ?

[maniackcrudelis]

However, we should consider reporting this nginx path traversal issue as an actual issue considering many apps are affected and not getting fixed ...

This is already tested by the CI, I don't know how do you test it, but rather than a syntax check I do prefer an actual test. Otherwise looks good. Hope there's less false positive.

[alexAubin]

This is already tested by the CI, I don't know how do you test it, but rather than a syntax check I do prefer an actual test.

It's not a syntax check, it's an actual parsing of the code ... Of course considering that there are placeholder variables that may still get replaced with something with/without a trailing slash, that's still not 100% accurate and has to be confirmed by an actual test.

But the test on the CI isn't 100% accurate either and has false-positive. As said, it doesn't cover other locations inside the nginx conf (c.f. transmission/downloads) and it assumes that the alias folder is going to be in /var/www/ which is not always the case.

So with that in mind to me the two approaches are simply complementary...

(Edit: note also that the current code of package_check doesn't cap the level of apps that are vulnerable ... so for example we have wemawema being level 7 and in fact vulnerable to this)

[maniackcrudelis]

Indeed, the level is not set lower because of this error, at the time we add this check, we wasn't sure. Could be modified.

Regarding linter, a warning, but not an error before we're sure there's no false positive with it. Otherwise apps will finish with the level 5 forced, which is worse...

[alexAubin]

Well yolo, let's merge as is

I changed the nginx path traversal issue to still be a warning ... but it's been a warning for a long time (in the linter and the CI) and people ain't necessarily fixing it, so we gotta consider making it an error at some point .. and/or make some PR on the repo ... (at least for apps level 5 to 8)

Let's see if anybody's screaming about the other changes for now.

[maniackcrudelis]

https://github.com/YunoHost/package_check/commit/176c9de77678755ce16587c4d104d1435578ebca