fix: harden the narinfo hash validation

[kalbasit]

This commit hardens the narinfo hash validation to strictly enforce the Nix32
encoding specification:

• Enforce exactly 32-character hash length (previously allowed any length)
• Restrict to valid Nix32 alphabet: 0-9, a-d, f-n, p-s, v-z (previously
  allowed any lowercase letter and digit)
• Explicitly reject forbidden characters: e, o, u, t
• Reject uppercase letters and special characters

Added 18 comprehensive test cases covering:

• Valid hashes with different character combinations
• Invalid hashes with forbidden characters
• Invalid hashes with wrong lengths
• Invalid hashes with special characters and uppercase letters

This ensures that only valid Nix32 hashes are accepted, preventing potential
data corruption or compatibility issues in the narinfo processing pipeline.

[kalbasit]

• fix: harden NAR hash validation and improve URL parsing #842
• fix: harden the narinfo route pattern #841
• fix: harden the narinfo hash validation #840 👈 (View in Graphite)
• fix: Fix test data generation and skip signature verification #839
• fix: Improve NAR file serving and remove old URL prefix workaround #838
• fix: Apply NAR URL normalization in storage layer #837
• feat: Add NAR URL normalization function and support dashes/underscores in hashes #836
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[gemini-code-assist]

Summary of Changes

Hello @kalbasit, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness of narinfo hash validation by implementing strict adherence to the Nix32 encoding specification. The changes prevent potential data corruption or compatibility issues by ensuring that only correctly formatted hashes are processed, thereby improving the overall reliability of the system's data handling.

Highlights

• Stricter Hash Validation: The ValidateHash function now strictly enforces the Nix32 encoding specification for narinfo hashes, ensuring compliance with length and character set requirements.
• Nix32 Alphabet Enforcement: The validation now restricts hashes to the specific Nix32 alphabet (0-9, a-d, f-n, p-s, v-z) and explicitly rejects forbidden characters like 'e', 'o', 'u', and 't'.
• Length and Case Sensitivity: Hashes are now required to be exactly 32 characters long, and uppercase letters or special characters are explicitly rejected.
• Comprehensive Test Coverage: Eighteen new test cases have been added to thoroughly cover valid and invalid hash scenarios, including correct formats, forbidden characters, incorrect lengths, and special characters.

Changelog

• pkg/narinfo/hash.go
  • Updated the narInfoHashPattern regular expression to enforce Nix32 encoding rules, including a fixed length of 32 characters and a restricted character set.
  • Added detailed comments to the ValidateHash function explaining the new validation requirements.
• pkg/narinfo/hash_test.go
  • Added a new test file hash_test.go to provide comprehensive unit tests for the ValidateHash function.
  • Included 18 new test cases covering valid Nix32 hashes, hashes with forbidden characters, incorrect lengths, uppercase letters, and special characters.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[dosubot]

Related Documentation

Checked 7 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[gemini-code-assist]

Code Review

This pull request significantly improves the narinfo hash validation by enforcing strict Nix32 encoding rules for character set and length, which is a great improvement over the previous, more permissive validation. The addition of a comprehensive test suite with numerous cases is excellent, covering a wide range of valid and invalid inputs to ensure the new logic is robust. The changes are well-implemented. I have one minor suggestion to improve comment clarity.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.96%. Comparing base (3d4d257) to head (05cd73e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #840   +/-   ##
=====================================
  Coverage   3.96%   3.96%           
=====================================
  Files          6       6           
  Lines        429     429           
=====================================
  Hits          17      17           
  Misses       409     409           
  Partials       3       3           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[kalbasit]

Backport failed for release-0.8, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-0.8
git worktree add -d .worktree/backport-840-to-release-0.8 origin/release-0.8
cd .worktree/backport-840-to-release-0.8
git switch --create backport-840-to-release-0.8
git cherry-pick -x 91945f3df2fadd881c7dc0cc883b327458ee88a0

[kalbasit]

Backport failed for release-0.8, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-0.8
git worktree add -d .worktree/backport-840-to-release-0.8 origin/release-0.8
cd .worktree/backport-840-to-release-0.8
git switch --create backport-840-to-release-0.8
git cherry-pick -x 91945f3df2fadd881c7dc0cc883b327458ee88a0