From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 7DC261B84E;
	Wed, 19 Nov 2025 08:21:47 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 724FB1B71F; Wed, 19 Nov 2025 08:21:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com
 [IPv6:2607:f8b0:4864:20::1133])
	by atuin.qyliss.net (Postfix) with ESMTPS id 76E031B5D5
	for <devel@spectrum-os.org>; Wed, 19 Nov 2025 08:21:27 +0000 (UTC)
Received: by mail-yw1-x1133.google.com with SMTP id
 00721157ae682-780fe76f457so59249197b3.0
        for <devel@spectrum-os.org>; Wed, 19 Nov 2025 00:21:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763540485; x=1764145285;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=SgAO+utrkfARkli0Ns3E11BQWPpU0o+MI02JnTUAMuU=;
        b=fL6TXy/DUa0a7nYvDtxLvmXYgzfSkK1ATPbPHNQQDMMVu6Id6g8NumH0AhyEHb4HV9
         QM12Hlw55pS/4QQr7Quch39oEqPxoNk0E+PIhP1gKe/SxmkihGUCDDBaxDS7tQxoXsjG
         HpFIvY4s7hHPAAJQAzS/lyfFBYMDzO6ksBTDPNH26Ax9/klGusUf56Q01ImFtg7gknEv
         b56gPyW39W69fPrQYWksH26mcC3cS+3wVLW9khhGCcvhKW3Zll9mbzyRuMovj1GWu6dy
         NxE9TpOhSPto8go1kJflnZ5xFsgy45x9eAgtKu5Li2FAWC3DsBYJC6qzqKPUbaMw6NMs
         rkRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763540485; x=1764145285;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=SgAO+utrkfARkli0Ns3E11BQWPpU0o+MI02JnTUAMuU=;
        b=j2n3v06d2beodRBYBJdp+U7EFRBW5t77gG7L7jCnOkzCGNgUE9BE7jA9hRazH9hPpN
         fJhqlSi9LB4tS2LxONcMCioiqs16MlstMxRH4Oy4bQsBLyFCk3c8NsBGMsEcLOQ9cPDK
         x7KH2ekzgBzIIf3/nGv7qm44rpLO/lAZN1M/lyVt8QjUC7VDMDRMbTfpLfFpJUw4eXDA
         1KwU4B4H8G+w6Mv+MJpWEkVqcXL94RGwSDFtj8bxPMON0KDqnUaBpahdLP4wb8/s+IMx
         ebDLBb8+puww89YFyGv6bDk9JJhI3Gjsyg0KsW1hV+lBSb4VYTxReO/nPwvOw0WUEtOB
         /TRg==
X-Gm-Message-State: AOJu0YzTC1atFt3fCyOyB4fZBbjRfJWnxCEruQe/s2FeMSceNhpCYo8b
	bpsLNNVc/T5wclGf3rgT4B0WXbahe33jGPpb4OjVEyGFh2fhMdIPDFXXIsTqqg==
X-Gm-Gg: ASbGncvkE/Yi3/K7l7vhXuUXxLti8FbrwUvfwuXInHAz4qJYI2VSYqOwLDXVabLb8Gc
	myRDtuhGSDEJ4vis1iSluWEuMhaf0WV0/viMPffBoDeztIyuEeDJsQQxxRUwdI9tQ/JbT18biHn
	zgLMBHqxPunRP0csbfOm0AAF8tjNFjXSYSoIvdW/ewm54ogRdLyZ9mOPPz/Ipw7zDCJGCfnpYC8
	kNXObYB/tIUzz+273Bb0k8TI0Pv2isMTKxsmuDZXtQ3OFO1yvem+xNVeMOSBCBm/Ay1y4gEc9u7
	DOjRrvHm/vr77Y4SdANdjoR8MaK67Q/k74HqJKJowvNa9ls5xItOf/qK7l6I+psjAau7OXmDe/Y
	aUrO+ytW8LnAUpdNxi7Hizvm5vmAIPrXvBZpQix7iU8fbYqIFLScIxmKx8+/Us+4XXcnZmiC4UM
	vT1WWNWUyCTe6BEPzSuXXap9omWOWTCixwZVKREvP3fJYZ5wtYh6rvUjARCjRx5ZBhqZ+ILsf+L
	Pxf5588KVSlI/rrMZgsRC7GFnCmuwt3TikIWWLFUrfFZw==
X-Google-Smtp-Source: 
 AGHT+IF21Z/zB3FssOriaF4G823F8sKzvG0cm1UeR5MfB3Lgq8oSndFoOhEKMNVjQIgjZ6kOkV2OpQ==
X-Received: by 2002:a05:690c:4c13:b0:786:4f8a:39b5 with SMTP id
 00721157ae682-78929f1b4c6mr317111837b3.59.1763540485346;
        Wed, 19 Nov 2025 00:21:25 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-7882214a978sm60347157b3.42.2025.11.19.00.21.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 19 Nov 2025 00:21:24 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 19 Nov 2025 03:18:37 -0500
Subject: [PATCH v3 14/14] Validate configuration parameters
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251119-updates-v3-14-b88a99915509@gmail.com>
References: <20251119-updates-v3-0-b88a99915509@gmail.com>
In-Reply-To: <20251119-updates-v3-0-b88a99915509@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1763540303; l=3765;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=IFQ7okMT7B1AQcIc+rMTs+VQfNVQbEk8G9cUypLuU/8=;
 b=JzsL8S5rm5VbQ82+FXXcIUM5NIf8bHBHNSaNCIg58ZTJkAUzmk2rIpqC68qOKBzditKiY0bvz
 UVsm3eO5ameDXgEHTcWYmnYSqLA+aed2J0kpxH05vi/8m8kL2DELyyy
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: SDFXA2D7BQN4UBBFPM2B32F4QLDDYUDH
X-Message-ID-Hash: SDFXA2D7BQN4UBBFPM2B32F4QLDDYUDH
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/SDFXA2D7BQN4UBBFPM2B32F4QLDDYUDH/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Wrong values for the version or update URL will cause very confusing
build-time or runtime errors.  Provide a better user experience by
validating them up-front.

The update URL validator is loose.  It rejects only URLs that cannot
possibly work: either appending /SHA256SUMS to them doesn't append to
the path, or they will definitely be rejected by curl due to being
malformed.

The version validator is in lib/config.nix, as the version number is
used in many places.  It checks that the version only uses characters
that are permitted by systemd's version number specification [1] and
that will not break code that uses them in shell or sed commands.

[1]: https://uapi-group.org/specifications/specs/version_format_specification

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Changes since v2:
- Use loose URL validation: allow anything that might work.
- Only reject versions that violate the specification.
---
 host/rootfs/default.nix | 19 ++++++++++++++++++-
 lib/config.nix          | 20 ++++++++++++++------
 2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index f0b7e061a1f39b3e70d337ef4fe14c98a8f022c8..06147eb8d1b713faac9b69ffdf42138d0c3e3093 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -85,6 +85,23 @@ let
     appvm-systemd-sysupdate = callSpectrumPackage ../../vm/app/systemd-sysupdate {};
   };
 
+  update-url =
+    let update-url = config.update-url; in
+    # Use builtins.fromJSON because it supports \uXXXX escapes.
+    # This is the same check done by check-url.awk in the update VM.
+    # The update code is careful to escape any metacharacters, but some
+    # simply cannot be made to work.  Concatenating the URL with /SHA256SUMS
+    # must append to the path portion of the URL, and the URL must be one
+    # that libcurl will accept.  I don't know how Unicode space is handled,
+    # but it is a bad idea.
+    if builtins.match (builtins.fromJSON "\"^[^\\u0001- #?\\u007F[:space:]]+$\"" update-url) == null then
+      builtins.abort ''
+        Update URL ${builtins.toJSON update-url} has forbidden characters.
+        Query strings, and fragment specifiers are not supported.
+        ASCII control characters and whitespace must be %-encoded.
+        ''
+    else
+      update-url;
   packagesSysroot = runCommand "packages-sysroot" {
     depsBuildBuild = [ inkscape ];
     nativeBuildInputs = [ xorg.lndir ];
@@ -151,7 +168,7 @@ stdenvNoCC.mkDerivation {
       sed p ${writeClosure [ packagesSysroot] } >>$out
     '';
     UPDATE_SIGNING_KEY = config.update-signing-key;
-    UPDATE_URL = config.update-url;
+    UPDATE_URL = update-url;
     VERSION = config.version;
   };
 
diff --git a/lib/config.nix b/lib/config.nix
index d7edb967f339f2d0af97adef5c0302eb58950d19..4db6c34635abb1419224485f1e56119569375831 100644
--- a/lib/config.nix
+++ b/lib/config.nix
@@ -21,9 +21,17 @@ let
   finalConfig = default // callConfig config;
 in
 
-finalConfig // {
-  update-signing-key = builtins.path {
-    name = "signing-key";
-    path = finalConfig.update-signing-key;
-  };
-}
+# See https://uapi-group.org/specifications/specs/version_format_specification
+# for allowed version strings.
+if builtins.match "[[:alnum:]_.~^-]+" finalConfig.version == null then
+   builtins.abort ''
+     Version ${builtins.toJSON finalConfig.version} has forbidden characters.
+     Only ASCII alphanumerics, ".", "_", "~", "^", "+", and "-" are allowed.
+     ''
+else
+  finalConfig // {
+    update-signing-key = builtins.path {
+      name = "signing-key";
+      path = finalConfig.update-signing-key;
+    };
+  }

-- 
2.52.0