From a8a574e81ed49d7139bf9f58375eb8cc12255f39 Mon Sep 17 00:00:00 2001
From: Christopher Obbard <chris.obbard@collabora.com>
Date: Fri, 7 Jan 2022 08:58:55 +0000
Subject: [PATCH] actions/run: Check script exists during recipe verification

If a script doesn't exist or the permissions are wrong, the
recipe exits during execution. Let's check early if the
script exists on the host filesystem and that the file has
executable permission bit set.

Signed-off-by: Christopher Obbard <chris.obbard@collabora.com>
---
 actions/run_action.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/actions/run_action.go b/actions/run_action.go
index c70ebfbd..24ec8a59 100644
--- a/actions/run_action.go
+++ b/actions/run_action.go
@@ -45,6 +45,8 @@ package actions
 import (
 	"errors"
 	"github.com/go-debos/fakemachine"
+	"fmt"
+	"os"
 	"path"
 	"strings"
 
@@ -68,6 +70,21 @@ func (run *RunAction) Verify(context *debos.DebosContext) error {
 	if run.Script == "" && run.Command == "" {
 		return errors.New("Script and Command both cannot be empty")
 	}
+
+	if run.Script != "" {
+		argv := strings.SplitN(run.Script, " ", 2)
+		script := debos.CleanPathAt(argv[0], context.RecipeDir)
+
+		stat, err := os.Stat(script)
+		if err != nil {
+			return err
+		}
+
+		if stat.IsDir() || stat.Mode()&0111 == 0 {
+			return fmt.Errorf("Script %s is not executable", script)
+		}
+	}
+
 	return nil
 }