From 7427946b94a647bb63d7203bf4e889e0a45630ba Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Sat, 16 Nov 2024 09:54:34 +0100
Subject: [PATCH 1/3] Add support to parse build params from _buildparams file

To allow for custom build tweaks such as `-j1` and
`--vm-custom-opt=-cpu qemu64` written as separate lines in `_buildparams`
---
 build | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/build b/build
index 23bcfa84..fbb309a0 100755
--- a/build
+++ b/build
@@ -1043,6 +1043,7 @@ run_shell() {
     fi
 }
 
+parse_args() {
 validate_init "$BUILD_CONF"
 
 while test -n "$1"; do
@@ -1366,6 +1367,14 @@ while test -n "$1"; do
 	validate_param "$PARAM" "$ARG"
     fi
 done
+}
+buildparams=()
+if [ -e _buildparams ] ; then
+    while read ARG ; do
+        buildparams+=("$ARG")
+    done < _buildparams
+fi
+parse_args "$@" "${buildparams[@]}"
 
 # validate params coming from the environment
 test -n "$BUILD_ARCH" && validate_param "--arch" "$BUILD_ARCH" BUILD_ARCH

From 0317136e02644ccfb01c7b11df3159db62ebcf87 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Mon, 18 Nov 2024 07:30:29 +0100
Subject: [PATCH 2/3] Add buildparam validation

to minimize risk to OBS operations.

The pattern for jobs deliberately does not have a * or +
to not allow DoS or integer overflows.
---
 build | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/build b/build
index fbb309a0..4a16379d 100755
--- a/build
+++ b/build
@@ -1370,7 +1370,15 @@ done
 }
 buildparams=()
 if [ -e _buildparams ] ; then
+    local n=0
     while read ARG ; do
+        let n++
+        if ! [[ $ARG =~ ^--jobs=[1-9]$ ]] &&
+           ! [[ $ARG =~ ^--vm-custom-opt=-cpu\ [a-zA-Z0-9=,_+-]+$ ]]
+          then
+            echo "buildparams line $n did not match whitelist in $BASH_SOURCE => skipping"
+            continue
+        fi
         buildparams+=("$ARG")
     done < _buildparams
 fi

From fbd8a809a4111b7339981f9745f74586db2c11fd Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Mon, 18 Nov 2024 14:03:21 +0100
Subject: [PATCH 3/3] Support pbuild-style build in dir

PBuild runs build without chdir into the source-dir
---
 build | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/build b/build
index 4a16379d..00ceeca3 100755
--- a/build
+++ b/build
@@ -1043,9 +1043,8 @@ run_shell() {
     fi
 }
 
-parse_args() {
 validate_init "$BUILD_CONF"
-
+parse_args() {
 while test -n "$1"; do
     PARAM="$1"
     ARG="$2"
@@ -1368,8 +1367,14 @@ while test -n "$1"; do
     fi
 done
 }
+parse_args "$@"
+recipedir=.
+if [[ -n ${RECIPEFILES[0]} ]] ; then
+        recipedir=$(dirname "${RECIPEFILES[0]}")
+fi
+
 buildparams=()
-if [ -e _buildparams ] ; then
+if [ -e $recipedir/_buildparams ] ; then
     local n=0
     while read ARG ; do
         let n++
@@ -1380,9 +1385,9 @@ if [ -e _buildparams ] ; then
             continue
         fi
         buildparams+=("$ARG")
-    done < _buildparams
+    done < $recipedir/_buildparams
 fi
-parse_args "$@" "${buildparams[@]}"
+parse_args "${buildparams[@]}"
 
 # validate params coming from the environment
 test -n "$BUILD_ARCH" && validate_param "--arch" "$BUILD_ARCH" BUILD_ARCH