Ensure that only podman and docker container runtimes can be used

2025-04-28 09:52:37 +02:00 · 2025-03-28 14:19:54 +01:00 · 2025-03-28 14:19:54 +01:00 · 86eab5d222
commit 86eab5d222
parent ed39c056bb
3 changed files with 25 additions and 4 deletions
--- a/dangerzone/container_utils.py
+++ b/dangerzone/container_utils.py
@ -21,6 +21,8 @@ class Runtime(object):

        if settings.custom_runtime_specified():
            self.path = Path(settings.get("container_runtime"))
+            if not self.path.exists():
+                raise errors.UnsupportedContainerRuntime(self.path)
            self.name = self.path.stem
        else:
            self.name = self.get_default_runtime_name()
@ -29,6 +31,9 @@ class Runtime(object):
                raise errors.NoContainerTechException(self.name)
            self.path = Path(binary_path)

+        if self.name not in ("podman", "docker"):
+            raise errors.UnsupportedContainerRuntime(self.name)
+
    @staticmethod
    def get_default_runtime_name() -> str:
        return "podman" if platform.system() == "Linux" else "docker"
--- a/dangerzone/errors.py
+++ b/dangerzone/errors.py
@ -140,3 +140,7 @@ class NotAvailableContainerTechException(Exception):
        self.error = error
        self.container_tech = container_tech
        super().__init__(f"{container_tech} is not available")
+
+
+class UnsupportedContainerRuntime(Exception):
+    pass
--- a/tests/test_container_utils.py
+++ b/tests/test_container_utils.py
@ -1,20 +1,21 @@
 from pathlib import Path

+import pytest
 from pytest_mock import MockerFixture

+from dangerzone import errors
 from dangerzone.container_utils import Runtime
 from dangerzone.settings import Settings


 def test_get_runtime_name_from_settings(mocker: MockerFixture, tmp_path: Path) -> None:
    mocker.patch("dangerzone.settings.get_config_dir", return_value=tmp_path)
+    mocker.patch("dangerzone.container_utils.Path.exists", return_value=True)

    settings = Settings()
-    settings.set(
-        "container_runtime", "/opt/somewhere/new-kid-on-the-block", autosave=True
-    )
+    settings.set("container_runtime", "/opt/somewhere/docker", autosave=True)

-    assert Runtime().name == "new-kid-on-the-block"
+    assert Runtime().name == "docker"


 def test_get_runtime_name_linux(mocker: MockerFixture, tmp_path: Path) -> None:
@ -46,3 +47,14 @@ def test_get_runtime_name_non_linux(mocker: MockerFixture, tmp_path: Path) -> No
    assert runtime.name == "docker"
    assert runtime.path == Path("/usr/bin/docker")
    assert Runtime().name == "docker"
+
+
+def test_get_unsupported_runtime_name(mocker: MockerFixture, tmp_path: Path):
+    mocker.patch("dangerzone.settings.get_config_dir", return_value=tmp_path)
+    settings = Settings()
+    settings.set(
+        "container_runtime", "/opt/somewhere/new-kid-on-the-block", autosave=True
+    )
+
+    with pytest.raises(errors.UnsupportedContainerRuntime):
+        assert Runtime().name == "new-kid-on-the-block"