Add script shebang validation across script hooks

Author: homebysix

pre_commit_hooks/check_jamf_extension_attributes.py

@@ -5,6 +5,8 @@
 import argparse
 import re
 
+from util import validate_shebangs
+
 
 def build_argument_parser():
     """Build and return the argument parser."""
@@ -13,6 +15,12 @@ def build_argument_parser():
         description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
     )
     parser.add_argument("filenames", nargs="*", help="Filenames to check.")
+    parser.add_argument(
+        "--valid-shebangs",
+        nargs="+",
+        default=[],
+        help="Add other valid shebangs for your environment",
+    )
     return parser
 
 
@@ -28,13 +36,22 @@ def main(argv=None):
         with open(filename, "r", encoding="utf-8") as openfile:
             ea_content = openfile.read()
 
+        # Ensure script contains both <result> and </result> tags
         if "<result>" not in ea_content or "</result>" not in ea_content:
             print(f"{filename}: missing <result> and/or </result> tags")
             retval = 1
-        all_results = len(re.findall("result.*\/result", ea_content))
-        proper_results = len(re.findall("<result>.*<\/result>", ea_content))
+
+        # Ensure result tags are in proper order (open then close)
+        all_results = len(re.findall(r"result.*\/result", ea_content))
+        proper_results = len(re.findall(r"<result>.*<\/result>", ea_content))
         if proper_results < all_results:
-            print(f"{filename}: has incomplete <result> tags!")
+            print(f"{filename}: has incomplete <result> tags")
+            retval = 1
+
+        # Ensure all pkginfo scripts have a proper shebang.
+        if not validate_shebangs(ea_content, filename, args.valid_shebangs):
+            print(f"{filename}: does not start with a valid shebang")
+            retval = 1
 
     return retval
 

pre_commit_hooks/check_jamf_scripts.py

@@ -4,6 +4,8 @@
 
 import argparse
 
+from util import validate_shebangs
+
 
 def build_argument_parser():
     """Build and return the argument parser."""
@@ -12,6 +14,12 @@ def build_argument_parser():
         description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
     )
     parser.add_argument("filenames", nargs="*", help="Filenames to check.")
+    parser.add_argument(
+        "--valid-shebangs",
+        nargs="+",
+        default=[],
+        help="Add other valid shebangs for your environment",
+    )
     return parser
 
 
@@ -29,16 +37,17 @@ def main(argv=None):
 
         # Ensure script starts with a shebang of some sort.
         if not script_content.startswith("#!/"):
-            print("{}: missing shebang".format(filename))
+            print(f"{filename}: missing shebang")
             retval = 1
 
         # Ensure we're not using env for root-context scripts.
         if script_content.startswith("#!/usr/bin/env"):
-            print(
-                "{}: using env for root-context scripts is not recommended".format(
-                    filename
-                )
-            )
+            print(f"{filename}: using env for root-context scripts is not recommended")
+            retval = 1
+
+        # Ensure all pkginfo scripts have a proper shebang.
+        if not validate_shebangs(script_content, filename, args.valid_shebangs):
+            print(f"{filename}: does not start with a valid shebang")
             retval = 1
 
     return retval

pre_commit_hooks/check_munki_pkgsinfo.py

@@ -8,6 +8,8 @@
 from pathlib import Path
 from xml.parsers.expat import ExpatError
 
+from util import validate_shebangs
+
 from pre_commit_hooks.util import (
     validate_pkginfo_key_types,
     validate_required_keys,
@@ -216,19 +218,6 @@ def main(argv=None):
                 retval = 1
 
         # Ensure all pkginfo scripts have a proper shebang.
-        builtin_shebangs = [
-            "#!/bin/bash",
-            "#!/bin/sh",
-            "#!/bin/zsh",
-            "#!/usr/bin/osascript",
-            "#!/usr/bin/perl",
-            "#!/usr/bin/python3",
-            "#!/usr/bin/python",
-            "#!/usr/bin/ruby",
-            "#!/usr/local/munki/munki-python",
-            "#!/usr/local/munki/Python.framework/Versions/Current/bin/python3",
-        ]
-        shebangs = builtin_shebangs + args.valid_shebangs
         script_types = (
             "installcheck_script",
             "uninstallcheck_script",
@@ -238,14 +227,12 @@ def main(argv=None):
             "preuninstall_script",
             "uninstall_script",
         )
-        for script_type in script_types:
-            if script_type in pkginfo:
-                if all(not pkginfo[script_type].startswith(x + "\n") for x in shebangs):
-                    print(
-                        "{}: Has a {} that does not start with a valid shebang.".format(
-                            filename, script_type
-                        )
-                    )
+        for s_type in script_types:
+            if s_type in pkginfo:
+                if not validate_shebangs(
+                    pkginfo[s_type], filename, args.valid_shebangs
+                ):
+                    print(f"{filename}: {s_type} does not start with a valid shebang")
                     retval = 1
 
         # Ensure the items_to_copy list does not include trailing slashes.

pre_commit_hooks/check_munkiadmin_scripts.py

@@ -5,6 +5,8 @@
 import argparse
 import os
 
+from util import validate_shebangs
+
 
 def build_argument_parser():
     """Build and return the argument parser."""
@@ -25,8 +27,17 @@ def main(argv=None):
 
     retval = 0
     for filename in args.filenames:
+
+        # Ensure scripts are executable
         if not os.access(filename, os.X_OK):
-            print("{}: not executable".format(filename))
+            print(f"{filename}: not executable")
+            retval = 1
+
+        # Ensure scripts have a proper shebang
+        with open(filename, "r", encoding="utf-8") as openfile:
+            script_content = openfile.read()
+        if not validate_shebangs(script_content, filename):
+            print(f"{filename}: does not start with a valid shebang")
             retval = 1
 
     return retval

pre_commit_hooks/check_outset_scripts.py

@@ -5,6 +5,8 @@
 import argparse
 import os
 
+from util import validate_shebangs
+
 
 def build_argument_parser():
     """Build and return the argument parser."""
@@ -26,7 +28,14 @@ def main(argv=None):
     retval = 0
     for filename in args.filenames:
         if not os.access(filename, os.X_OK):
-            print("{}: not executable".format(filename))
+            print(f"{filename}: not executable")
+            retval = 1
+
+        # Ensure scripts have a proper shebang
+        with open(filename, "r", encoding="utf-8") as openfile:
+            script_content = openfile.read()
+        if not validate_shebangs(script_content, filename):
+            print(f"{filename}: does not start with a valid shebang")
             retval = 1
 
     return retval

pre_commit_hooks/util.py

@@ -24,6 +24,21 @@
     "date": datetime,
 }
 
+# List of common shebangs used by Mac admin scripts
+# (Can be augmented with --valid-shebangs parameter)
+BUILTIN_SHEBANGS = [
+    "#!/bin/bash",
+    "#!/bin/sh",
+    "#!/bin/zsh",
+    "#!/usr/bin/osascript",
+    "#!/usr/bin/perl",
+    "#!/usr/bin/python3",
+    "#!/usr/bin/python",  # removed since macOS 12.3
+    "#!/usr/bin/ruby",
+    "#!/usr/local/munki/munki-python",
+    "#!/usr/local/munki/Python.framework/Versions/Current/bin/python3",
+]
+
 
 def load_autopkg_recipe(path):
     """Loads an AutoPkg recipe in plist, yaml, or json format."""
@@ -169,3 +184,13 @@ def validate_pkginfo_key_types(pkginfo, filename):
                 passed = False
 
     return passed
+
+
+def validate_shebangs(script_content, filename, addl_shebangs=[]):
+    """Verifies that scripts begin with a valid shebang."""
+    passed = True
+    shebangs = BUILTIN_SHEBANGS + addl_shebangs
+    if not any((script_content.startswith(x) + "\n" for x in shebangs)):
+        print(f"{filename}: does not start with a valid shebang")
+        passed = False
+    return passed