Alyssa Ross <hi@alyssa.is> writes:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 10/29/25 08:01, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
Spectrum OS's host has no network access. Updates must be downloaded by VMs. The downloads are placed into a bind-mounted directory. The VM can write whatever it wants into that directory. This includes symlinks that subsequent code might open, which would create a path traversal vulnerability. It also includes paths with names containing containing terminal escape sequences, newlines, or other nastiness. Furthermore, the directory should not have any subdirectories either.
Add a simple C program that checks for such ugliness and indicates (via its exit code) if the VM misbehaved. It also ensures that both SHA256SUMS and SHA256SUMS.gpg are present.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 6 +- lib/kcmdline-utils.mk | 6 ++ tools/default.nix | 1 + tools/meson.build | 1 + tools/updates-dir-check/meson.build | 4 ++ tools/updates-dir-check/updates-dir-check.c | 94 +++++++++++++++++++++++++++++ 6 files changed, 110 insertions(+), 2 deletions(-)
I still don't really understand why this needs to be a C program instead of find -H /path/to/dir -not -type f. None of the other checks seem very necessary?
I trust this code more than I trust (especially) the Busybox implementation of find.
This doesn't really make sense to me. All of this is quite trivial find behaviour — not the sort of thing that's unlikely to have been widely tested. No objection to GNU find though if it helps.
(Or even uutils find?)