From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id DADB0217C0; Sun, 02 Nov 2025 12:43:18 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id B3B7521811; Sun, 02 Nov 2025 12:43:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156]) by atuin.qyliss.net (Postfix) with ESMTPS id F296B2180F for ; Sun, 02 Nov 2025 12:43:15 +0000 (UTC) Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfhigh.stl.internal (Postfix) with ESMTP id 9A7027A00F5; Sun, 2 Nov 2025 07:43:14 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-03.internal (MEProxy); Sun, 02 Nov 2025 07:43:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1762087394; x=1762173794; bh=tfgoPeS5Oz yA1zY2FWKNNSUmamoCAfxTp2Vfz2cYE+E=; b=gFARQHdJdC2rVWEvm5GZFGZI7c z9bicP2xsgKMTOamzR8fiP6060Ja/j686vjk/IRFu1lba+A3vetcizcjWtCPzpwF kV4cCaISRdiEA1HpG0JoUzkEtkWhpHu7PoXoIQaxEjdakRPudPRWu6cNSspIpM0i tWuWu9OoUUZIZuvDQoC8sk1kZir8ScF7FK3glZCLYDi3Ui28KcVdoIHxpBo1AzcH FE/nHStNvtXa4uo0juWruQjRf52n2UGK7aZdQnKu4Zre8WTpaKbSZg9RxqCLvb1y lHmih+S3/1xuusA4QhxOIlJ6u8TLd4I0tmcYSAI2tnzBTx/wUecYM9UvJ0+Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1762087394; x=1762173794; bh=tfgoPeS5OzyA1zY2FWKNNSUmamoCAfxTp2V fz2cYE+E=; b=mJZue1NiN3Z7xbDvEl6ZsecPnX+CmpVyRl2U9HcYJXCcD1TWPC1 eDtI2v7MbWbPczT7sUEwlzTJQ9vuxYYQU6yducXc7AWSd5uD05h0OUCnVINsNGx6 KjZcdjiK1a34EpUdtGOuAZle9TjTBT9mC3H77IZa/e9Zt10TVEggH2uCAEr5XGeU WmXsXijeCiSLjVKp43sU7sjkd7Iksupm6GiMzoCej3vMbIlrJDYVmoV26eZZjKj7 7CkyeYjg/NB98XomU05IWu2yN7IliklmuYOEC+PePv496GNVBoduqZ0Bti5DIP3m zkdOBiyTAoVoGspJnZZerCl60X/FcmLZ/Sg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddujeehvdekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhepfffhvfevuffkfhggtggujgesghdtsfertddtjeenucfhrhhomheptehlhihsshgr ucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepjeduue evteegledvieegleetvdejfeefkeefudetleffiefhkeetvdeiuddugfeinecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrg drihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthho peguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlh esshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 2 Nov 2025 07:43:13 -0500 (EST) Received: by mbp.qyliss.net (Postfix, from userid 1000) id 37A1863AC5B8; Sun, 02 Nov 2025 13:43:12 +0100 (CET) Date: Sun, 2 Nov 2025 13:43:12 +0100 From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 3/7] tools: Add directory checker for updates Message-ID: References: <20251029-updates-v1-0-401c1be2a11b@gmail.com> <20251029-updates-v1-3-401c1be2a11b@gmail.com> <87sef1kjbk.fsf@alyssa.is> <72921587-e951-4bfb-b68e-5cb05fc32609@gmail.com> <87bjlmq756.fsf@alyssa.is> <831ecec1-d782-4fab-a6d5-40eae0f9ad92@gmail.com> <87ms54pr0l.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rj6xix46sd4gogys" Content-Disposition: inline In-Reply-To: <87ms54pr0l.fsf@alyssa.is> Message-ID-Hash: 2EZAV3KAG52G5ZWQYJBVAUI7BRP2NGRM X-Message-ID-Hash: 2EZAV3KAG52G5ZWQYJBVAUI7BRP2NGRM X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --rj6xix46sd4gogys Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: [PATCH 3/7] tools: Add directory checker for updates MIME-Version: 1.0 On Sun, Nov 02, 2025 at 01:18:02PM +0100, Alyssa Ross wrote: > Demi Marie Obenour writes: > > > On 11/1/25 08:17, Alyssa Ross wrote: > >> Demi Marie Obenour writes: > >> > >>> On 10/29/25 08:01, Alyssa Ross wrote: > >>>> Demi Marie Obenour writes: > >>>> > >>>>> Spectrum OS's host has no network access. Updates must be download= ed by > >>>>> VMs. The downloads are placed into a bind-mounted directory. The = VM > >>>>> can write whatever it wants into that directory. This includes sym= links > >>>>> that subsequent code might open, which would create a path traversal > >>>>> vulnerability. It also includes paths with names containing contai= ning > >>>>> terminal escape sequences, newlines, or other nastiness. Furthermo= re, > >>>>> the directory should not have any subdirectories either. > >>>>> > >>>>> Add a simple C program that checks for such ugliness and indicates > >>>>> (via its exit code) if the VM misbehaved. It also ensures that both > >>>>> SHA256SUMS and SHA256SUMS.gpg are present. > >>>>> > >>>>> Signed-off-by: Demi Marie Obenour > >>>>> --- > >>>>> host/rootfs/Makefile | 6 +- > >>>>> lib/kcmdline-utils.mk | 6 ++ > >>>>> tools/default.nix | 1 + > >>>>> tools/meson.build | 1 + > >>>>> tools/updates-dir-check/meson.build | 4 ++ > >>>>> tools/updates-dir-check/updates-dir-check.c | 94 +++++++++++++++++= ++++++++++++ > >>>>> 6 files changed, 110 insertions(+), 2 deletions(-) > >>>> > >>>> I still don't really understand why this needs to be a C program ins= tead > >>>> of find -H /path/to/dir -not -type f. None of the other checks seem > >>>> very necessary? > >>> > >>> I trust this code more than I trust (especially) the Busybox > >>> implementation of find. > >> > >> This doesn't really make sense to me. All of this is quite trivial fi= nd > >> behaviour =E2=80=94 not the sort of thing that's unlikely to have been= widely > >> tested. No objection to GNU find though if it helps. > > > > I see: find with a -exec false to return an error if anything matching > > is found? > > > > I'm way more familiar with C than with find, which is why I missed this. > > Hmm, thinking about it some more I suppose there's a problem with find: > there's no way to get it to exit as soon as it finds a matching file, > with a failing error code, so it could end up running way too long. > > So the C program is fine, I guess. Actually, we can do it. We just need to make find not responsible for exiting. foreground { pipeline { find -H /path/to/dir -mindepth 1 -not -type f -prune } grep -q . } importas -iu ? ? if { test $? -eq 1 } # We have only regular files. When find prints a line, grep will exit, and find will receive SIGPIPE and exit. --rj6xix46sd4gogys Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaQdR3wAKCRBbRZGEIw/w omcrAQCZYSCB6zLojaL9N7Esytsr1Bs+jQwMSsdcPP4QYjmVfwEA2bxCk4Wi7kMs 5VYLxL5VUVxpHpGICaHJwQNkBr6oXAk= =2i6J -----END PGP SIGNATURE----- --rj6xix46sd4gogys--