RDKB-63013 update cmake build to parse conf file#29
Conversation
There was a problem hiding this comment.
Pull request overview
Extends the native component CMake build path to optionally consume compiler/linker flags from configure_options.conf (via configure_options_file in the JSON), aligning CMake builds with the existing autotools configuration mechanism.
Changes:
- Add parsing of
configure_options_fileduring CMake builds to extractCPPFLAGS,CFLAGS, andLDFLAGS. - Convert parsed flags into corresponding CMake cache variables (
CMAKE_C_FLAGS,CMAKE_CXX_FLAGS,CMAKE_EXE_LINKER_FLAGS). - Minor whitespace cleanup in the script.
Comments suppressed due to low confidence (1)
cov_docker_script/build_native.sh:189
parse_configure_options_filecurrently returns the exit status of the last[[ -n ... ]] && ...line. If (for example)LDFLAGSis empty, the last test returns non-zero and the function reports failure even though it successfully parsed other sections. This can incorrectly fail both autotools and cmake builds when only some sections are present. Consider ending the function with an explicitreturn 0(after building the array) so parsing an existing file with partial/empty sections is still treated as success.
# Build final options array
[[ -n "$cppflags" ]] && options_array+=("CPPFLAGS=${cppflags% }")
[[ -n "$cflags" ]] && options_array+=("CFLAGS=${cflags% }")
[[ -n "$ldflags" ]] && options_array+=("LDFLAGS=${ldflags% }")
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| local parsed_array=() | ||
| if parse_configure_options_file "$config_file_path" parsed_array; then | ||
| for opt in "${parsed_array[@]}"; do | ||
| case $opt in |
There was a problem hiding this comment.
In the case statement, $opt should be quoted (case "$opt" in) to prevent word splitting and pathname expansion when an option value contains spaces or glob characters. As written, a value like CPPFLAGS=-I/foo -I/bar can break the case parsing or match unintended patterns.
| case $opt in | |
| case "$opt" in |
|
|
||
| # Compose cmake flags | ||
| local combined_cmake_flags="$cmake_flags" | ||
| [[ -n "$cppflags" ]] && combined_cmake_flags+=" -DCMAKE_C_FLAGS=\"$cppflags $cflags\" -DCMAKE_CXX_FLAGS=\"$cppflags $cflags\"" |
There was a problem hiding this comment.
combined_cmake_flags only sets CMAKE_C_FLAGS/CMAKE_CXX_FLAGS when cppflags is non-empty. If the config file provides only CFLAGS (no CPPFLAGS section), those flags will be silently ignored for CMake builds. Consider gating this on cppflags OR cflags (or building the combined flags string first and checking it).
| [[ -n "$cppflags" ]] && combined_cmake_flags+=" -DCMAKE_C_FLAGS=\"$cppflags $cflags\" -DCMAKE_CXX_FLAGS=\"$cppflags $cflags\"" | |
| # Combine CPPFLAGS and CFLAGS if either is present | |
| local cmake_compile_flags="" | |
| if [[ -n "$cppflags" ]]; then | |
| cmake_compile_flags+="$cppflags" | |
| fi | |
| if [[ -n "$cflags" ]]; then | |
| [[ -n "$cmake_compile_flags" ]] && cmake_compile_flags+=" " | |
| cmake_compile_flags+="$cflags" | |
| fi | |
| if [[ -n "$cmake_compile_flags" ]]; then | |
| combined_cmake_flags+=" -DCMAKE_C_FLAGS=\"$cmake_compile_flags\" -DCMAKE_CXX_FLAGS=\"$cmake_compile_flags\"" | |
| fi |
|
|
||
| # Parse configure options file if exists | ||
| local config_file_path cppflags cflags ldflags | ||
| config_file_path=$(jq -r '.native_component.build.configure_options_file // empty' "$CONFIG_FILE") | ||
| if [[ -n "$config_file_path" ]]; then | ||
| config_file_path=$(expand_path "$config_file_path") | ||
| if [[ ! "$config_file_path" = /* ]]; then | ||
| config_file_path="$COMPONENT_DIR/$config_file_path" | ||
| fi | ||
|
|
||
| step "Reading configure options from: $config_file_path" | ||
| local parsed_array=() | ||
| if parse_configure_options_file "$config_file_path" parsed_array; then | ||
| for opt in "${parsed_array[@]}"; do | ||
| case $opt in | ||
| CPPFLAGS=*) cppflags="${opt#CPPFLAGS=}" ;; | ||
| CFLAGS=*) cflags="${opt#CFLAGS=}" ;; | ||
| LDFLAGS=*) ldflags="${opt#LDFLAGS=}" ;; | ||
| esac | ||
| done | ||
| else | ||
| err "Failed to parse configure options file (for cmake)" | ||
| return 1 | ||
| fi | ||
| fi | ||
|
|
||
| # Compose cmake flags | ||
| local combined_cmake_flags="$cmake_flags" | ||
| [[ -n "$cppflags" ]] && combined_cmake_flags+=" -DCMAKE_C_FLAGS=\"$cppflags $cflags\" -DCMAKE_CXX_FLAGS=\"$cppflags $cflags\"" | ||
| [[ -n "$ldflags" ]] && combined_cmake_flags+=" -DCMAKE_EXE_LINKER_FLAGS=\"$ldflags\"" |
There was a problem hiding this comment.
The values read from configure_options_file are used to build combined_cmake_flags and then passed to build_cmake, which invokes cmake via eval on a command string including these flags. Because configure_options_file is an external file and its CPPFLAGS/CFLAGS/LDFLAGS content is not shell-escaped, an attacker controlling this file can inject shell metacharacters (e.g. ;, backticks, $(...)) so that eval executes arbitrary commands instead of just passing flags to CMake. To mitigate this, avoid using eval for the CMake invocation and pass flags as properly quoted separate arguments (or rigorously sanitize/escape the contents of cppflags, cflags, and ldflags before composing the command).
2 participants
Updating build_Component_cmake to parse cmake_flags from configure_options.conf.