Extra internal validation #169
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
CI says you broke legitimate case here... |
DemiMarie
force-pushed
the
unnecessary-revalidate
branch
from
16c589e to
f57261b
Compare
|
PipelineRetry |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #169 +/- ##
==========================================
- Coverage 79.17% 79.16% -0.02%
==========================================
Files 54 54
Lines 9953 9996 +43
==========================================
+ Hits 7880 7913 +33
- Misses 2073 2083 +10 ☔ View full report in Codecov by Sentry. |
DemiMarie
force-pushed
the
unnecessary-revalidate
branch
from
f57261b to
55c1e06
Compare
|
Tests fail. And formatting need an update too |
DemiMarie
force-pushed
the
unnecessary-revalidate
branch
from
55c1e06 to
034537b
Compare
Previously it could produce invalid qrexec commands.
A username ending with ":nogui" is allowed in the policy engine
response, though not on the command line. This is because it may be
used by some to work around a limitation of the Windows agent: the
Windows agent handles
user:nogui:QUBESRPC SERVICE+ARG SOURCE
differently than it handles
user:QUBESRPC SERVICE+ARG SOURCE
and (unlike the Linux agent) this difference cannot be worked around by
changing service configuration. R5.0 will block this as well.
If the target domain passed on the command line or the normalized target returned by the policy engine contain a space, ill-formed command lines would be produced. To fix this, ensure that both the VM name passed on the command line and the normalized target returned by the policy engine are non-empty and contain only printable ASCII characters. The actual set of valid characters is smaller, but the input is trusted, so be conservative to ensure there are no regressions or maintenance problems. Together with the previous commit, this change ensures that all commands generated by qrexec-daemon will be parsed correctly by parse_qubes_rpc_command(). This also ensures that a newline in the VM name passed on the command line does not result in a malformed request being passed to the policy daemon.
Use a validating function instead.
It turns out that the Windows agent uses "|" as an internal delimiter, and programs under both Linux and Windows may assume that there are no forbidden characters in $QREXEC_REMOTE_DOMAIN and either $QREXEC_REQUESTED_TARGET_NAME or $QREXEC_REQUESTED_TARGET_KEYWORD. Only allow expected characters.
DemiMarie
force-pushed
the
unnecessary-revalidate
branch
from
034537b to
988d99f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds some extra internal validation.