From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id AF7351AD0F; Wed, 12 Nov 2025 22:18:33 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id AE4981ABF2; Wed, 12 Nov 2025 22:18:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb135.google.com (mail-yx1-xb135.google.com [IPv6:2607:f8b0:4864:20::b135]) by atuin.qyliss.net (Postfix) with ESMTPS id 792921AB3A for ; Wed, 12 Nov 2025 22:18:02 +0000 (UTC) Received: by mail-yx1-xb135.google.com with SMTP id 956f58d0204a3-640e065991dso167595d50.3 for ; Wed, 12 Nov 2025 14:18:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762985881; x=1763590681; darn=spectrum-os.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=BSSZNMCW+MpZHoji+xqDrt8Jc5iBiSFpiN5x5MgTcc0=; b=OT9C/go2IKd58kRTNTNXfWBiIV+vEo7yrZOc5Qpy9N6Pxihy1WYMvrPSYK1XxXZcjl oChhIahX+kSr6d6MAoT0keg81X3B9/sdARUqDCqS6g0MnEbGLHVEMYrArhtZ4pu24Mhm plod7X1hK18GW69WnMyFoWNZSmJA5YD0veD1vhxcRcVBAs0bUGo529PicjvDTMGGAmfB fYPa2BIQMVbPT66QDpOUzoFe081JOyGBZhbk4DjJNKMNU1QnDtYwrYCrrjOVCbxgDqkm pM+joB+WJCZx5NEw7lcks9WTdKsuYVjLJdjnYM8VleisTh7waLrKKwMJD0kkJ2NvrnQb owpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762985881; x=1763590681; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BSSZNMCW+MpZHoji+xqDrt8Jc5iBiSFpiN5x5MgTcc0=; b=BCKa1KBqlSaTmp5crsBjTvVnNd+PUO+wuvkOiv+67rT5pN8YTHS9RIkqfWtQ9k/3Tb jGHQdNqeahROJMHlaS0pQCchkEGG89xFIHe3KClQxCa0ojAByc0rgwQ14NA/nxTIBzEh ++POfHYcl0or/Tt94uUTspNTwI5SU87dU2ZI9KHctTWLH6Ma6RDvvg0uom8UMwZA1c3g U1cp1F8welk/aiR0QFv7ESm7pf/ZoSDaCpTYA6jCvncKHzh8zUP3G+3iKdPlqPEDjnaT Awg5cm0LgiAR3v5wuA7yK1ZSEiPSAGVBHViwgvx12rdOhCqaHrxApQUqvAPfhgZx/5iS cYCQ== X-Gm-Message-State: AOJu0YzFP2S7BPKX5Cke07mUYZYBymBnUlUn+eN11+567e113SpSczdd umkIOgw+YIfuaZgqrJ2mcVKIjEDyN/VRyxdvYVfA6i4k3IrHr7r5B5WZjyAdhYq0 X-Gm-Gg: ASbGncteuX8aiJ9lWjcPN7Dhsyj1ds3gicxztZPmXcpgT5Pw6LZQtHMgaEEMpNsFUSk QzBWSkaDmAih6D0l6LdHlhgKxO8Tobh7RSpoq3o39CUHu87pidJHRXiuLvyBNiUVFKf/yr1rbMk zZ8O54229n7jOx58hRbACvkWnUuraPBMUoDEyRc97swJPyearabsF9abXjgU2BMAS2AaW7zv64P sRb8cwOzl1MgH3P+r0OzsLAAHm36eyE2+zsYRvwHBEkRnOPC31ue0CEaSmr/kEoklIdzppy/Qp+ YbplfI/0vV+lbxJyp2EG+mtHtVPDEavwovQcLcNuIvACYH/6vAqN0IyDqHzb+A0WhJbJjUnZf7d oZoxNFWz76Ccm2OLH+baSy1KKgbCt/wbeuJK53IiInGBlUMgkGhf+XSScSwZB+K7z6kPWU0fSLl KlROe30m6nPjZ7vQ/OAvQI7ahDSbHW4yAAaspotyeHevEtrXTptcro617bEKd1XTFOSKXI78kxj 3OS9m9oCr5p3bc7UT++X+R0 X-Google-Smtp-Source: AGHT+IGaWLCqDphhEQ1goFhuHjgct6RHOSNDFBVRMahJtUlJ/KrDzydT6pF6WEq51tHEjUyvs0j57A== X-Received: by 2002:a05:690e:d8b:b0:63f:b634:5b3c with SMTP id 956f58d0204a3-64101925fcfmr3947840d50.0.1762985880789; Wed, 12 Nov 2025 14:18:00 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-6410e9e9182sm74722d50.3.2025.11.12.14.18.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Nov 2025 14:18:00 -0800 (PST) From: Demi Marie Obenour Date: Wed, 12 Nov 2025 17:15:02 -0500 Subject: [PATCH v2 8/8] lib/config.nix: Validate configuration parameters MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20251112-updates-v2-8-88d96bf81b79@gmail.com> References: <20251112-updates-v2-0-88d96bf81b79@gmail.com> In-Reply-To: <20251112-updates-v2-0-88d96bf81b79@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1762985694; l=2889; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=beqVeZy1K1tSEmCcfwkvucIcNJ1xpCgqiWYCHnBkYx8=; b=Z2Rqh4OtjcOPq/rnhOL8GLK4XAqS0AOFnXnEvjz5lfceIm7C2d3r6y0PHD2eZSccGBGznDgnK IShns8js9heA83diwtcgtg7ubxQKq8yuHHrARqeI7h7fHHUX3JvO4jN X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: FGHF6BLSY7XR5P3B7PWYOI57LVNTTFHF X-Message-ID-Hash: FGHF6BLSY7XR5P3B7PWYOI57LVNTTFHF X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Wrong values for the version or update URL will cause very confusing build-time or runtime errors. Provide a better user experience by validating them up-front. Signed-off-by: Demi Marie Obenour --- lib/config.nix | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/lib/config.nix b/lib/config.nix index 5b6b95013734202b7e2e01d5ffce313080658006..660a2427447fd9851e60e955da6bd1a5d71cfdac 100644 --- a/lib/config.nix +++ b/lib/config.nix @@ -19,10 +19,39 @@ let inherit default; } else config; finalConfig = default // callConfig config; + + # Only allow unreserved characters, : (for port numbers), /, and %-encoding. + # The rest of the code is allowed to assume that these are the only characters + # in the update URL. + # Do not use [:alnum:] or [:hexdigit:] as they depend on the locale in POSIX. + # Query strings and fragment identifiers break appending + # /SHA256SUMS and /SHA256SUMS.gpg to a URL. + # [, ], {, and } would cause globbing in curl. + url-regex = "^https?://([ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789:./~-]|%[ABCDEFabcdef0123456789]{2})+$"; + update-url = finalConfig.update-url; + + # Only allow a numeric version for now. + number_re = "(0|[1-9][0-9]{0,2})"; + version_re = "^(${number_re}\\.){2}${number_re}$"; in - finalConfig // { - update-signing-key = builtins.path { - name = "signing-key"; - path = finalConfig.update-signing-key; - }; - } + if !builtins.isString update-url then + builtins.abort "Update URL must be a string, not ${builtins.typeOf update-url}" + else if builtins.match "^https?://.*" update-url == null then + builtins.abort "Update URL ${builtins.toJSON update-url} has unsupported scheme (not https:// or http://) or is invalid" + else if builtins.match url-regex update-url == null then + builtins.abort "Update URL ${builtins.toJSON update-url} has forbidden characters" + else if builtins.substring (builtins.stringLength update-url - 1) 1 update-url == "/" then + builtins.abort "Update URL ${builtins.toJSON update-url} must not end with /" + else if !builtins.isString finalConfig.version then + builtins.abort "Version must be a string, not ${builtins.typeOf finalConfig.version}" + else if builtins.match version_re finalConfig.version == null then + builtins.abort "Version ${builtins.toJSON finalConfig.version} is invalid" + else if !builtins.isPath finalConfig.update-signing-key then + builtins.abort "Update verification key file is of type ${builtins.typeOf finalConfig.update-signing-key}, not path" + else + finalConfig // { + update-signing-key = builtins.path { + name = "signing-key"; + path = finalConfig.update-signing-key; + }; + } -- 2.51.2