fix: harden the narinfo route pattern

[kalbasit]

The narinfo hash was updated in #840 to reflect the upstream definition
in NixOS/nix#15004 and so the server should only allow narinfo requests
that match this pattern.

[kalbasit]

• fix: harden NAR hash validation and improve URL parsing #842
• fix: harden the narinfo route pattern #841 👈 (View in Graphite)
• fix: harden the narinfo hash validation #840
• fix: Fix test data generation and skip signature verification #839
• fix: Improve NAR file serving and remove old URL prefix workaround #838
• fix: Apply NAR URL normalization in storage layer #837
• feat: Add NAR URL normalization function and support dashes/underscores in hashes #836
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[gemini-code-assist]

Summary of Changes

Hello @kalbasit, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the security of the narinfo endpoint by implementing a stricter regular expression for hash validation directly within the route definition. This change ensures that incoming requests for narinfo files adhere to the latest upstream specifications, thereby preventing malformed or malicious requests from reaching the handler and improving the overall robustness of the server's request handling.

Highlights

• Narinfo Route Hardening: The narinfo route pattern has been updated to align with the upstream definition in Add Nix32 encoding documentation NixOS/nix#15004, ensuring that only requests matching this specific pattern are allowed.
• Validation Shift: The hash validation logic for narinfo requests has been moved from an explicit helper.IsValidHash check within the handler to the routing pattern itself, making the route definition more robust.
• Test Updates: Related test cases in security_test.go were adjusted to reflect the new validation behavior, including the removal of a redundant valid hash test and an update to a path traversal test's expected status.

Changelog

• pkg/server/security_test.go
  • Removed a test case for a valid 52-character narinfo hash.
  • Modified a path traversal test case to use a different malicious path and expect a StatusNotFound instead of StatusBadRequest.
• pkg/server/server.go
  • Imported the narinfo package.
  • Updated the routeNarInfo constant to use the narinfo.NarInfoHashPattern for stricter hash validation.
  • Removed the explicit helper.IsValidHash check from the getNarInfo handler, as validation is now handled by the route pattern.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[dosubot]

Related Documentation

Checked 7 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[gemini-code-assist]

Code Review

This pull request hardens the security of the narinfo route by enforcing a stricter pattern for the hash at the router level. This is a good improvement. The associated test changes are mostly correct, though a test name could be more descriptive. I've also noted an opportunity for further cleanup in related handlers to maintain consistency with the changes made.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.96%. Comparing base (91945f3) to head (be06e36).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #841   +/-   ##
=====================================
  Coverage   3.96%   3.96%           
=====================================
  Files          6       6           
  Lines        429     429           
=====================================
  Hits          17      17           
  Misses       409     409           
  Partials       3       3           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[kalbasit]

Successfully created backport PR for release-0.8:

• fix: harden the narinfo route pattern [backport #841] #854