Demi Marie Obenour <demiobenour@gmail.com> writes:

> This isn't a security feature as the input is trusted, but it might
> catch some bugs in the future.  Additionally, it will allow replacing an
> external command with builtin string manipulation, as paths that the
> builtin manipulation would mishandle will instead be rejected.

In general this feels a bit overkill to me, but it depends — have you
encountered bugs this would help prevent?

> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
>  root=$superroot/real_root
>  mkdir -- "$root"
>  
> +check_path () {
> +	# Various code can only handle paths that do not end with /
> +	# and are in canonical form.  Reject others.
> +	for i; do
> +		case $i in
> +		(''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*)
> +			printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2
> +			exit 1
> +			;;
> +		(*[!A-Za-z0-9._@+/-]*)
> +			printf 'Path "%s" has forbidden characters\n' "$i" >&2
> +			exit 1
> +			;;

Not sure why we'd want to rule out most characters?  We're not really in
control of what characters packages choose to use in their store paths.

> +		(-*)
> +			printf 'Path "%s" begins with -\n' "$i" >&2
> +			exit 1
> +			;;
> +		(/nix/store/*|[!/]*)

It's technically possible to use Nix with a different store path, so I'd
like to avoid anything that requires us to hardcode /nix/store.

> +			:
> +			;;
> +		(*)
> +			printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2
> +			exit 1
> +			;;
> +		esac
> +	done
> +}
> +
>  while read -r arg1; do
>  	read -r arg2 || ex_usage
>  
> @@ -38,6 +66,7 @@ while read -r arg1; do
>  	echo
>  
>  	if [ "$arg2" = / ]; then
> +		check_path "$arg1"
>  		cp -RT -- "$arg1" "$root"
>  		# Nix store paths are read-only, so fix up permissions
>  		# so that subsequent copies can write to directories
> @@ -47,6 +76,8 @@ while read -r arg1; do
>  		continue
>  	fi
>  
> +	check_path "$arg1" "$arg2"
> +
>  	parent=$(dirname "$arg2")
>  	mkdir -p -- "$root/$parent"
>  	cp -RT -- "$arg1" "$root/$arg2"
>
> -- 
> 2.51.0