From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 4357C4E17;
	Thu, 04 Sep 2025 23:47:55 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 4931B4C81; Thu, 04 Sep 2025 23:47:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com
 [IPv6:2607:f8b0:4864:20::b2d])
	by atuin.qyliss.net (Postfix) with ESMTPS id 75FEA4BEB
	for <devel@spectrum-os.org>; Thu, 04 Sep 2025 23:47:46 +0000 (UTC)
Received: by mail-yb1-xb2d.google.com with SMTP id
 3f1490d57ef6-e96fc00ad79so1536597276.0
        for <devel@spectrum-os.org>; Thu, 04 Sep 2025 16:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1757029665; x=1757634465;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JjXBqQ8JoFDAM4ahc/Ix7N1aNECvnTbek1/XN02Xhn8=;
        b=P6sMqimcA9+DERMtztSwp0PH0iUPDAdQDb6QTzm9i0TgVl//JhkdvRGFvCjJ9qhivz
         kqNZpn3PAFsEuzWf3YyKEIsa4bzvL35x4VRzrSC4btN9kNzKLC7gYrRKoTqWzCtOWbW+
         eRGniuGK2ovVAuRIjyaj/Yn8EOIHN5HjFWLAu0mpIaXVVJiJLTjnQLNquXCEYRqRld/C
         h0gbw2pJcKu9DWdODXaUUg5x+oxv2d6MGLEoY5Rg6RX0Koun27/FLj9mJB7U/KDj6qxh
         RZ5JeXSlml8LdeDpJzNHwg+xmx4GDB2qIRqCRKBDc027PKYdtTRIo+uh4AMygtSZ0owP
         8Oiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1757029665; x=1757634465;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=JjXBqQ8JoFDAM4ahc/Ix7N1aNECvnTbek1/XN02Xhn8=;
        b=cfQnoee7bDW50H0GEKsoQwc7XCmCUoa/H/IXToV79YzKv4Wmp7NwKWU3deJSvANzta
         22BFXhuGivw/zjiy1jqXM2H+JjM8hvQ2s1tvrpYb7sMb4jjhV3jWD/2rsWxqsBhVEDfK
         rYqmV/McWh+ktS7ilsgRYMw4pMHXwRjn+q5oQHqQq6rWMD9aIgeP2oFqkbBdPmxL1YAJ
         7NW+7NBsqjQ7f6j1oXzZ29Xv/wTdPMeevjNIPYI3uFaJ8W2vr/h2ED/rv3ZqJ8o1Tr9U
         BCqxFtcF/rsLERxP6efeGX82qEF4SUKArfgWQGY6cqBNFb2aGSI9wlsDWpyaZnTd2LYV
         16rw==
X-Gm-Message-State: AOJu0Yw7DZFdV6x3W72ffFBIASTrCR2fJz5glPrrMTw9nqYmgrNEOcQI
	YjkiqAdrj5hHmgZZo21bnULxA/XLvxrQ7y40HGNwO8/+7BvrW0krQ3Yv0Y35nK64
X-Gm-Gg: ASbGnctfn0D4ryFhexOTcT1PIluLhwegb7QPzSI7OEEV5Xtk83xe6ALnHQDP1JxhRy8
	GX0nuS0TbyQ8zFAk6OnLw+qFD/uiRhs9VZzEb5EVgAbpu0v5sMbqPuQonVX0LJeovuFqNF+Wxr6
	Bm24b8p+vcpMIucev41Crh3n8uTqUjx/UYnY3OeCL2okf1W3NwYkMBXoYpYcg3xDdAtSepojQpx
	8Ua1EvPz1niI8o2PDFp5wEgVO26lh/X0xryvb+UzbLlS4NtI63UeOoTR7iogGX3A22i7vFR2VSS
	j0/GDc0h90xc+yJEGJ4Inib4fCTS/w8HBHulYPUEE3G40H7VbzQLdC2hgbGoA6SO2meuXKqCkPw
	PuXSOuWJEH2l/ocvIVtgl5yojH7hnf/6tSDBa8VODlD7zLtPmmRdFQeTUwDMt2Jl27ErCRwtZi3
	hrqCgqFMeGCT1NbZILqK/MCzZu53KV0Fh5EEHF5aM01UBFEPnWX45qPA==
X-Google-Smtp-Source: 
 AGHT+IGeZOij9kBusM+dPwGybu0NvTAGrBXEOtGmg9YFgBCaWmEIF+uu7sW+HppxcxS44fIHPGMuww==
X-Received: by 2002:a05:690e:244f:b0:5f4:e8e3:5c71 with SMTP id
 956f58d0204a3-605a9f8d70fmr3451116d50.29.1757029665372;
        Thu, 04 Sep 2025 16:47:45 -0700 (PDT)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-723a8563b5csm24826417b3.57.2025.09.04.16.47.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Sep 2025 16:47:45 -0700 (PDT)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Thu, 04 Sep 2025 17:26:26 -0400
Subject: [PATCH 04/20] scripts/make-erofs.sh: Validate all paths
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20250904-systemd-v1-4-2a63b790a913@gmail.com>
References: <20250904-systemd-v1-0-2a63b790a913@gmail.com>
In-Reply-To: <20250904-systemd-v1-0-2a63b790a913@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.2
X-Developer-Signature: v=1; a=ed25519-sha256; t=1757021182; l=1952;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=p85nO3IEEt8KM4cNVh4pv9QFhPpZUA/BjqFEUwPzQug=;
 b=f7xtXx11UKGBY36tTbzpeMnSRuXWRxZrB6ddMxY+Gq0jR8yehIa4WVlo+UD3F5Q9ls+H+pg23
 5aMcDblfjSWAA+2LSNCX7ndGbOhJM0ZCffFXQKdaElXf5fz6Sw7luy0
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: RV4WFLT3TMZVLMTU7DP6YB5EQZZH56SA
X-Message-ID-Hash: RV4WFLT3TMZVLMTU7DP6YB5EQZZH56SA
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/RV4WFLT3TMZVLMTU7DP6YB5EQZZH56SA/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This isn't a security feature as the input is trusted, but it might
catch some bugs in the future.  Additionally, it will allow replacing an
external command with builtin string manipulation, as paths that the
builtin manipulation would mishandle will instead be rejected.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
 root=$superroot/real_root
 mkdir -- "$root"
 
+check_path () {
+	# Various code can only handle paths that do not end with /
+	# and are in canonical form.  Reject others.
+	for i; do
+		case $i in
+		(''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*)
+			printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2
+			exit 1
+			;;
+		(*[!A-Za-z0-9._@+/-]*)
+			printf 'Path "%s" has forbidden characters\n' "$i" >&2
+			exit 1
+			;;
+		(-*)
+			printf 'Path "%s" begins with -\n' "$i" >&2
+			exit 1
+			;;
+		(/nix/store/*|[!/]*)
+			:
+			;;
+		(*)
+			printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2
+			exit 1
+			;;
+		esac
+	done
+}
+
 while read -r arg1; do
 	read -r arg2 || ex_usage
 
@@ -38,6 +66,7 @@ while read -r arg1; do
 	echo
 
 	if [ "$arg2" = / ]; then
+		check_path "$arg1"
 		cp -RT -- "$arg1" "$root"
 		# Nix store paths are read-only, so fix up permissions
 		# so that subsequent copies can write to directories
@@ -47,6 +76,8 @@ while read -r arg1; do
 		continue
 	fi
 
+	check_path "$arg1" "$arg2"
+
 	parent=$(dirname "$arg2")
 	mkdir -p -- "$root/$parent"
 	cp -RT -- "$arg1" "$root/$arg2"

-- 
2.51.0