From bdc5eeebfdd3b544a9dc3d533948b5421577f2b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
Date: Fri, 1 Sep 2023 20:20:31 -0400
Subject: [PATCH] Better check for xdg-dir access

- It would before allow `xdg-config:create`
---
 flatpak_builder_lint/checks/finish_args.py | 10 ++++++----
 tests/manifests/finish_args.json           |  1 +
 tests/test_manifest.py                     |  2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/flatpak_builder_lint/checks/finish_args.py b/flatpak_builder_lint/checks/finish_args.py
index 1f403f36..b0563ee4 100644
--- a/flatpak_builder_lint/checks/finish_args.py
+++ b/flatpak_builder_lint/checks/finish_args.py
@@ -1,3 +1,4 @@
+import re
 from collections import defaultdict
 from typing import Optional, Set
 
@@ -24,11 +25,12 @@ def _validate(self, appid: Optional[str], finish_args: dict[str, Set[str]]) -> N
             self.errors.add("finish-args-fallback-x11-without-wayland")
 
         for xdg_dir in ["xdg-data", "xdg-config", "xdg-cache"]:
-            if xdg_dir in finish_args["filesystem"]:
-                self.errors.add(f"finish-args-arbitrary-{xdg_dir}-access")
-
+            regexp_arbitrary = f"^{xdg_dir}(:(create|rw|ro)?)?$"
+            regexp_unnecessary = f"^{xdg_dir}(\\/.*)?(:(create|rw|ro)?)?$"
             for fs in finish_args["filesystem"]:
-                if fs.startswith(f"{xdg_dir}/") and fs.endswith(":create"):
+                if re.match(regexp_arbitrary, fs):
+                    self.errors.add(f"finish-args-arbitrary-{xdg_dir}-access")
+                elif re.match(regexp_unnecessary, fs):
                     self.errors.add(f"finish-args-unnecessary-{xdg_dir}-access")
 
         if "home" in finish_args["filesystem"] and "host" in finish_args["filesystem"]:
diff --git a/tests/manifests/finish_args.json b/tests/manifests/finish_args.json
index 12c72866..e09b9d46 100644
--- a/tests/manifests/finish_args.json
+++ b/tests/manifests/finish_args.json
@@ -8,6 +8,7 @@
         "--filesystem=xdg-config/autostart",
         "--filesystem=xdg-data",
         "--filesystem=xdg-data/foo:create",
+        "--filesystem=xdg-cache:create",
         "--own-name=org.flathub.finish_args",
         "--own-name=org.kde.StatusNotifierItem",
         "--socket=session-bus",
diff --git a/tests/test_manifest.py b/tests/test_manifest.py
index c871a2ac..0569e31e 100644
--- a/tests/test_manifest.py
+++ b/tests/test_manifest.py
@@ -62,6 +62,7 @@ def test_manifest_finish_args() -> None:
         "finish-args-arbitrary-autostart-access",
         "finish-args-arbitrary-dbus-access",
         "finish-args-arbitrary-xdg-data-access",
+        "finish-args-arbitrary-xdg-cache-access",
         "finish-args-broken-kde-tray-permission",
         "finish-args-flatpak-spawn-access",
         "finish-args-incorrect-dbus-gvfs",
@@ -89,7 +90,6 @@ def test_manifest_finish_args() -> None:
 def test_manifest_finish_args_issue_33() -> None:
     ret = run_checks("tests/manifests/own_name_substring.json")
     found_errors = set(ret["errors"])
-    print(found_errors)
     assert "finish-args-unnecessary-appid-own-name" not in found_errors
 
     ret = run_checks("tests/manifests/own_name_substring2.json")