From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 800D7197B2; Mon, 08 Sep 2025 08:36:47 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 2F48119816; Mon, 08 Sep 2025 08:36:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) by atuin.qyliss.net (Postfix) with ESMTPS id 04E0D19814 for ; Mon, 08 Sep 2025 08:36:45 +0000 (UTC) Received: from phl-compute-09.internal (phl-compute-09.internal [10.202.2.49]) by mailfhigh.stl.internal (Postfix) with ESMTP id DF3907A0074; Mon, 8 Sep 2025 04:36:43 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-09.internal (MEProxy); Mon, 08 Sep 2025 04:36:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1757320603; x=1757407003; bh=XpG23S5W8g 0GQRYjZ3a2YG0NZfbHUvNG4sNk9GZy7bg=; b=czmkTibyhMeUih0fST9yl6YTfg HzmKdeWELTWZ5CBeVp/oMp7PrZ1+E5cpUEPRvvS7zRwvuX7dylz+K7C5S06beTYk 5QDaYj/Rg4AP94vtEI6gIKW1alPVvf1oRJqeapgTgx1N87xbv69B++vWrdRrzE3f GIcQbQMqpO8LhDbQvalBveQYMjP3EILZhXqZRD4Ncg/vLMgHGXN6EhyKDYGDglok eJ+SNZNvMqzs89UjaeRfiA+P6V9OnPTsEiEduPEf4S/zm8Bd1XmPoBTjzPdKoHUo JBZxeYNDgeyLkN5SUrQNHvNMqn1zf4zF+7LwdN9zYWZdzg4+VeuXB9sXbVWQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1757320603; x=1757407003; bh=XpG23S5W8g0GQRYjZ3a2YG0NZfbHUvNG4sN k9GZy7bg=; b=SYYy0Bngrmnp+alCUUrDBpaIlqokHomEy3e4S8H07NIVRAeIJtv 4nrx+UJ7sZsxzue99a5fP8l8fjejiwNO3OgrR7XTtVhn5JFGplqlD6GP79EOt/F0 4IzMbWd2E7WrfwsqcJlVdBPgNtBpCFfwP36vGWRm1COqg+i0iCWR2eJY00eRcMYs GYnr5AnqHk0yfbkTVOqM40q6DPifLYOCKmM6C9SjjvMrvYRf2IHC0yDPXVboTT0I V6KlZ6Oo2VQ811x8pr1ysz24zht/zzdoXwwbLKfW7H7B7QiYdgaNlqkJpjDvz3qv xN8s29DJ1yCZkGNGkV9m8e/qyX2tHx+6Ykw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddujedtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufgjfhffkfggtgesghdtreertddtjeenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepteehvedugf ejgfehhfeijeduleekleejgedvkeeuuefhhfegvdevfeetveegteeinecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrih hspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegu vghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhessh hpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 8 Sep 2025 04:36:43 -0400 (EDT) Received: by mbp.qyliss.net (Postfix, from userid 1000) id D19D416748BB; Mon, 08 Sep 2025 10:36:41 +0200 (CEST) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 04/20] scripts/make-erofs.sh: Validate all paths In-Reply-To: <20250904-systemd-v1-4-2a63b790a913@gmail.com> References: <20250904-systemd-v1-0-2a63b790a913@gmail.com> <20250904-systemd-v1-4-2a63b790a913@gmail.com> Date: Mon, 08 Sep 2025 10:36:40 +0200 Message-ID: <871pohl4rr.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: CXOSUD5WJKGPMMSR4O2TSQDN5VTHLTF4 X-Message-ID-Hash: CXOSUD5WJKGPMMSR4O2TSQDN5VTHLTF4 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > This isn't a security feature as the input is trusted, but it might > catch some bugs in the future. Additionally, it will allow replacing an > external command with builtin string manipulation, as paths that the > builtin manipulation would mishandle will instead be rejected. In general this feels a bit overkill to me, but it depends =E2=80=94 have y= ou encountered bugs this would help prevent? > Signed-off-by: Demi Marie Obenour > --- > scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > > diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh > index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b00= 84c2d04bf084a9d 100755 > --- a/scripts/make-erofs.sh > +++ b/scripts/make-erofs.sh > @@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"= ' EXIT > root=3D$superroot/real_root > mkdir -- "$root" >=20=20 > +check_path () { > + # Various code can only handle paths that do not end with / > + # and are in canonical form. Reject others. > + for i; do > + case $i in > + (''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*) > + printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2 > + exit 1 > + ;; > + (*[!A-Za-z0-9._@+/-]*) > + printf 'Path "%s" has forbidden characters\n' "$i" >&2 > + exit 1 > + ;; Not sure why we'd want to rule out most characters? We're not really in control of what characters packages choose to use in their store paths. > + (-*) > + printf 'Path "%s" begins with -\n' "$i" >&2 > + exit 1 > + ;; > + (/nix/store/*|[!/]*) It's technically possible to use Nix with a different store path, so I'd like to avoid anything that requires us to hardcode /nix/store. > + : > + ;; > + (*) > + printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2 > + exit 1 > + ;; > + esac > + done > +} > + > while read -r arg1; do > read -r arg2 || ex_usage >=20=20 > @@ -38,6 +66,7 @@ while read -r arg1; do > echo >=20=20 > if [ "$arg2" =3D / ]; then > + check_path "$arg1" > cp -RT -- "$arg1" "$root" > # Nix store paths are read-only, so fix up permissions > # so that subsequent copies can write to directories > @@ -47,6 +76,8 @@ while read -r arg1; do > continue > fi >=20=20 > + check_path "$arg1" "$arg2" > + > parent=3D$(dirname "$arg2") > mkdir -p -- "$root/$parent" > cp -RT -- "$arg1" "$root/$arg2" > > --=20 > 2.51.0 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaL6VmAAKCRBbRZGEIw/w otl2AQCMiTqZqaBbWxYOTKuqPq6h5PFmLD0zYjIGWrbqhUqRYwEAuqtHVHmaImAI MWX6AsQc2cTOA9K69X0X2i1GauSAxAE= =p0Ne -----END PGP SIGNATURE----- --=-=-=--