From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id EB031CFB8;
	Sat, 22 Nov 2025 01:28:15 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 92C2ACE8D; Sat, 22 Nov 2025 01:27:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com
 [IPv6:2607:f8b0:4864:20::1133])
	by atuin.qyliss.net (Postfix) with ESMTPS id B0CD8CD6B
	for <devel@spectrum-os.org>; Sat, 22 Nov 2025 01:27:50 +0000 (UTC)
Received: by mail-yw1-x1133.google.com with SMTP id
 00721157ae682-787e35ab178so26984977b3.2
        for <devel@spectrum-os.org>; Fri, 21 Nov 2025 17:27:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763774869; x=1764379669;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=UWlPS1uDJ+Wi5/Pgr/LuBHI2581VmhySq8gAKFs6ywY=;
        b=AeRpA949F/d9ltG/1WqnsdDSHIDlBAd2w9Aa4nfCmETc9qvt+WX8SVQbV/OBsxkgwh
         cSp+tSbVsg94LJf5ywGoR+VbGQiZR3hCkPw3z2mG+nrmAw4rdtHylOEQfTVp8g5rN/QL
         aDhP2iNe+S4PgobMiyOpguR8tQPsqqiUWUf6ZkWhWLU0kjV5OhYyt0ys1RZsgGEo8/97
         Vn4X/z/SUIwG2yyYTzougz5vPo0teyDw8c3MFxerlRan+FDOTYWRlBUhRxw5eRgNk2fL
         uY0C8TXXs/7RxYNg4pKCt+DTBy1+M/ygud7ssNOJZOup42e4dxuG/B8TxyHRX9+qSg9j
         DmUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763774869; x=1764379669;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=UWlPS1uDJ+Wi5/Pgr/LuBHI2581VmhySq8gAKFs6ywY=;
        b=Bwf//O2B+N+5Yv7iPcPN/2R5w3/muya86i0vLCg5xjuS87Y0DHdDeosl2iW23cMC6a
         U0bIJ1jK1YH3/wjNmC2MgItyDUsvIVke7/crSArYHV0mVX5NLHClfmFa3kPwZKa0VM6q
         ec3z/T+9u0zdjbFZ1ViuJZ308tTWRE5WDO6ZaMAsabgV81HztQpG1iJSb8gdWaRsMSeG
         rWc5rR+mZtJSOxTRcB0C4lFoCyo6xdKcdqMtKGmHWmz/jkBpQ7Rg84Swy4eNmClcE8me
         tmKXF8MshwJ9o8ZpsA05IpuZYOssD24zNpY/DTvHOEmtiDfy8/3Jz91hea2R0DLlvU57
         1IsQ==
X-Gm-Message-State: AOJu0YxrjVXBe5JvndqHxNavFg7q+vbYzzIVp3PIcdhv+yxuQg0bUxb9
	Ud0tsTcpidpY99Qfyd4dKonM1/uYa8UOPaMa5GVpJiA5PeyRn1Glx8YSMSRP9A==
X-Gm-Gg: ASbGncs0gM70jnaYpDTDGchiUlonFpt6Q1gtTrWYJroUBMKMtv+mCnVC04SEX5XOApa
	552GFC/3q6RFroJvSLxnHR8v0S1bRyrq7tBQ4uYZgVY+w9jaMB/CDaDJ47sqSgprcJoffbPqP1w
	3zpxJWJ9ZHlGANhPYwXF7pPEzxX5HUncnj2eywEfMywWqPn90ccJbOtFd7ScQ6wZtjsIHVxJAxI
	r0Vy/DAcWk9hXVU1AubsjwjiXuJBerHRoj6oYv9S2NpyJJpbVplAkRiUYIXaXa1jXVRSodGMmDO
	YmXR9k6sYU1hkgTrx5Oohvc9pAHaq5rj7IElGgtbKK3+WpNSsfG1vPQbUbqsabSPcGCcEbLynw3
	n5xFhR4rVqg5PnaATUnE2GfnVa1ffwrWcUj8rFckzq+bDgAJ9PnSjT/68TvmzpXZ1ZJNoSBX8Nx
	C9Qw0bR9uY7rRx/O28j8SdxViiwyAm/9i1rxbMWj0te1dv/NcX6OKJX79Ac41fgkrZFNd3UgvY4
	LMyA63mTu2oA4IjGyVOQJH7pLL+drzZJ/c=
X-Google-Smtp-Source: 
 AGHT+IGqrQBgubKZuxKCGm7pq/AepCxld8brlxtaSLggAOXEMGdlZGEyD2RDarG/6MmYwVRZUKfMTw==
X-Received: by 2002:a05:690c:f82:b0:78a:74d4:465f with SMTP id
 00721157ae682-78a8b52824emr34804917b3.43.1763774868419;
        Fri, 21 Nov 2025 17:27:48 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78a7993cc25sm20697657b3.44.2025.11.21.17.27.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 21 Nov 2025 17:27:47 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 21 Nov 2025 20:23:36 -0500
Subject: [PATCH v4 14/14] Validate configuration parameters
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251121-updates-v4-14-d4561c42776e@gmail.com>
References: <20251121-updates-v4-0-d4561c42776e@gmail.com>
In-Reply-To: <20251121-updates-v4-0-d4561c42776e@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1763774602; l=5952;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=LH9f18aXAKciNCIi/U/AV3DnPpawMQg4yFTWy6UYreI=;
 b=okimZ0uBPqiOHad/K6ghzeVD/dQo+zDRZIWBSn3JR7e1t4Us6tVXholz7kJs5gbhCMKgDxhq3
 N5o5uqu0KcrBdrAhvRyMgYBrNFoDinRoodrsZ7XWhyytvM+nj6U9K2z
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: ZFCCUT4ZQPOSJENFZEWKHWB4IT2ZNDVD
X-Message-ID-Hash: ZFCCUT4ZQPOSJENFZEWKHWB4IT2ZNDVD
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/ZFCCUT4ZQPOSJENFZEWKHWB4IT2ZNDVD/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Wrong values for the version or update URL will cause very confusing
build-time or runtime errors.  Provide a better user experience by
validating them up-front.

The update URL validator is loose.  It rejects only URLs that cannot
possibly work: either appending /SHA256SUMS to them doesn't append to
the path, or they will definitely be rejected by curl due to being
malformed.

The version validator is in lib/config.nix, as the version number is
used in many places.  It checks that the version only uses characters
that are permitted by systemd's version number specification [1] and
that will not break code that uses them in shell or sed commands.

[1]: https://uapi-group.org/specifications/specs/version_format_specification

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Changes since v3:
- Validate compression level.

Changes since v2:
- Use loose URL validation: allow anything that might work.
- Only reject versions that violate the specification.
---
 Documentation/installation/getting-spectrum.adoc |  2 +-
 host/rootfs/default.nix                          | 19 ++++++++++++++++++-
 lib/config.nix                                   | 12 +++++++++++-
 release/combined/eosimages.nix                   |  8 +++++++-
 4 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/Documentation/installation/getting-spectrum.adoc b/Documentation/installation/getting-spectrum.adoc
index 0abc83a9e6fc01084b3faa9b93eb38398b0aef27..919b28f86eddff1b92570d46b62a1fbddc32f2d5 100644
--- a/Documentation/installation/getting-spectrum.adoc
+++ b/Documentation/installation/getting-spectrum.adoc
@@ -93,7 +93,7 @@ you must provide your own.  You can do this via
 xref:../development/build-configuration.adoc[build configuration].
 The default sets the signing key to `/dev/null` and the server
 URL to an invalid value, so updates won't work.  To enable updates,
-set `update-url` to the URL of your server and `update-signing-key`
+set `updateUrl` to the URL of your server and `updateSigningKey`
 to a binary GnuPG keyring to verify the updates with.  Not all possible
 URLs will work, but most invalid URLs will cause an error during the
 build rather than runtime misbehavior.
diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 1ebaf11cd7e9d61444b6524de6053a0f3cfb82c8..fed99013f960287c3be3941ca593b22c55a6f79a 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -85,6 +85,23 @@ let
     appvm-systemd-sysupdate = callSpectrumPackage ../../vm/app/systemd-sysupdate {};
   };
 
+  update-url =
+    let update-url = config.updateUrl; in
+    # Use builtins.fromJSON because it supports \uXXXX escapes.
+    # This is the same check done by check-url.awk in the update VM.
+    # The update code is careful to escape any metacharacters, but some
+    # simply cannot be made to work.  Concatenating the URL with /SHA256SUMS
+    # must append to the path portion of the URL, and the URL must be one
+    # that libcurl will accept.  I don't know how Unicode space is handled,
+    # but it is a bad idea.
+    if builtins.match (builtins.fromJSON "\"^[^\\u0001- #?\\u007F[:space:]]+$\"" update-url) == null then
+      builtins.abort ''
+        Update URL ${builtins.toJSON update-url} has forbidden characters.
+        Query strings, and fragment specifiers are not supported.
+        ASCII control characters and whitespace must be %-encoded.
+        ''
+    else
+      update-url;
   packagesSysroot = runCommand "packages-sysroot" {
     depsBuildBuild = [ inkscape ];
     nativeBuildInputs = [ xorg.lndir ];
@@ -152,7 +169,7 @@ stdenvNoCC.mkDerivation {
       name = "signing-key";
       path = config.updateSigningKey;
     };
-    UPDATE_URL = config.updateUrl;
+    UPDATE_URL = update-url;
     VERSION = config.version;
   };
 
diff --git a/lib/config.nix b/lib/config.nix
index bc5b42f506b7bfd2f66db48610491809351d1a2c..2065be83ad97f8eb011f070d8c3f3249104d07f4 100644
--- a/lib/config.nix
+++ b/lib/config.nix
@@ -18,6 +18,16 @@ let
   callConfig = config: if builtins.typeOf config == "lambda" then config {
     inherit default;
   } else config;
+  finalConfig = default // callConfig config;
 in
 
-default // callConfig config
+# Version is used in many files, so validate it here.
+# See https://uapi-group.org/specifications/specs/version_format_specification
+# for allowed version strings.
+if builtins.match "[[:alnum:]_.~^-]+" finalConfig.version == null then
+   builtins.abort ''
+     Version ${builtins.toJSON finalConfig.version} has forbidden characters.
+     Only ASCII alphanumerics, ".", "_", "~", "^", "+", and "-" are allowed.
+     ''
+else
+  finalConfig
diff --git a/release/combined/eosimages.nix b/release/combined/eosimages.nix
index 9cb35dcecee54c17392b609c493272ec83062e9b..5d1e3a67bb81cbb737823bfa3c75d88f18b31f2a 100644
--- a/release/combined/eosimages.nix
+++ b/release/combined/eosimages.nix
@@ -4,6 +4,12 @@
 import ../../lib/call-package.nix (
 { callSpectrumPackage, runCommand, e2fsprogs, tar2ext4, config }:
 
+let
+  compressionLevel = config.compressionLevel;
+in
+if compressionLevel < 1 || compressionLevel > 9 then
+  builtins.abort "Compression level ${builtins.toString compressionLevel} is invalid (< 1 or > 9)"
+else
 runCommand "eosimages.img" {
   nativeBuildInputs = [ e2fsprogs tar2ext4 ];
   imageName = "Spectrum-0.0-x86_64-generic.0.Live.img";
@@ -16,7 +22,7 @@ runCommand "eosimages.img" {
   mkdir dir
   cd dir
   ln -s -- "$image" "$imageName"
-  gzip -${builtins.toString (0 + config.compressionLevel)} < "$image" > "$imageName.gz"
+  gzip -${builtins.toString compressionLevel} < "$image" > "$imageName.gz"
   sha256sum -- "$imageName.gz" > "$imageName.gz.sha256"
   tar -ch -- "$imageName.gz" "$imageName.gz.sha256" | tar2ext4 -o "$out"
   e2label "$out" eosimages

-- 
2.52.0