fix: harden NAR hash validation and improve URL parsing#842
Conversation
dosubot
bot
added
the
size:L
dosubot
bot
added
bug
Summary of ChangesHello @kalbasit, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security and reliability of NAR hash validation and URL parsing. By introducing stricter validation rules for NAR hashes, enforcing the Nix32 format, and completely overhauling the URL parsing logic, the system is now more resilient to invalid or malicious inputs. These changes ensure consistent and secure handling of NAR-related URLs across the application. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Related Documentation Checked 7 published document(s) in 1 knowledge base(s). No updates required. How did I do? Any feedback? |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request significantly hardens NAR hash validation and improves URL parsing, which is a great step towards improving security and robustness. The new ParseURL implementation is much clearer and safer than the previous regex-based approach. The introduction of a strict HashPattern for NAR hashes prevents invalid or malicious inputs. The updates to tests to use valid Nix32 hashes are also a welcome change, ensuring consistency. Overall, this is a high-quality contribution that strengthens the application's core logic.
kalbasit
force-pushed
the
02-11-security_harden_the_nar_url
branch
from
9a1a3c6 to
6ba6599
Compare
kalbasit
force-pushed
the
02-11-security_harden_the_narinfo_route_pattern
branch
from
ad68338 to
e6e447c
Compare
kalbasit
force-pushed
the
02-11-security_harden_the_nar_url
branch
from
6ba6599 to
c7347a1
Compare
kalbasit
force-pushed
the
02-11-security_harden_the_narinfo_route_pattern
branch
from
e6e447c to
be06e36
Compare
kalbasit
force-pushed
the
02-11-security_harden_the_nar_url
branch
from
c7347a1 to
ab266e5
Compare
This change strengthens the validation of NAR hashes by enforcing a strict Nix32 format (52 characters) and optional narinfo hash prefix. The ParseURL function has been rewritten to be more robust, separating the hash and compression components more reliably and validating the hash before further processing. Key improvements: - Defined NormalizedHashPattern and HashPattern for precise hash validation. - Enhanced ParseURL to correctly handle various NAR URL formats including those with query parameters. - Improved the Normalize method in the URL struct to better handle narinfo hash prefixes and sanitize the hash against path traversal. - Updated all relevant tests to use valid Nix32 hashes and removed redundant test cases. - Ensured consistent URL construction in JoinURL by correctly handling paths and query parameters. This hardening prevents potential security issues related to invalid or malicious NAR URLs and ensures consistent behavior across the application.
kalbasit
force-pushed
the
02-11-security_harden_the_nar_url
branch
from
ab266e5 to
9d82f3a
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #842 +/- ##
=====================================
Coverage 3.96% 3.96%
=====================================
Files 6 6
Lines 429 429
=====================================
Hits 17 17
Misses 409 409
Partials 3 3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release-0.8
git worktree add -d .worktree/backport-842-to-release-0.8 origin/release-0.8
cd .worktree/backport-842-to-release-0.8
git switch --create backport-842-to-release-0.8
git cherry-pick -x 2bb8649e9ede4161b25b801fcffe5b795728aa2d |
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release-0.8
git worktree add -d .worktree/backport-842-to-release-0.8 origin/release-0.8
cd .worktree/backport-842-to-release-0.8
git switch --create backport-842-to-release-0.8
git cherry-pick -x 2bb8649e9ede4161b25b801fcffe5b795728aa2d |
This change strengthens the validation of NAR hashes by enforcing a strict Nix32 format (52 characters) and optional narinfo hash prefix. The ParseURL function has been rewritten to be more robust, separating the hash and compression components more reliably and validating the hash before further processing. Key improvements: - Defined NormalizedHashPattern and HashPattern for precise hash validation. - Enhanced ParseURL to correctly handle various NAR URL formats including those with query parameters. - Improved the Normalize method in the URL struct to better handle narinfo hash prefixes and sanitize the hash against path traversal. - Updated all relevant tests to use valid Nix32 hashes and removed redundant test cases. - Ensured consistent URL construction in JoinURL by correctly handling paths and query parameters. This hardening prevents potential security issues related to invalid or malicious NAR URLs and ensures consistent behavior across the application. (cherry picked from commit 2bb8649)
… (#858) This change strengthens the validation of NAR hashes by enforcing a strict Nix32 format (52 characters) and optional narinfo hash prefix. The ParseURL function has been rewritten to be more robust, separating the hash and compression components more reliably and validating the hash before further processing. Key improvements: - Defined NormalizedHashPattern and HashPattern for precise hash validation. - Enhanced ParseURL to correctly handle various NAR URL formats including those with query parameters. - Improved the Normalize method in the URL struct to better handle narinfo hash prefixes and sanitize the hash against path traversal. - Updated all relevant tests to use valid Nix32 hashes and removed redundant test cases. - Ensured consistent URL construction in JoinURL by correctly handling paths and query parameters. This hardening prevents potential security issues related to invalid or malicious NAR URLs and ensures consistent behavior across the application. (cherry picked from commit 2bb8649)
1 participant
This change strengthens the validation of NAR hashes by enforcing a
strict Nix32 format (52 characters) and optional narinfo hash prefix.
The ParseURL function has been rewritten to be more robust, separating
the hash and compression components more reliably and validating the
hash before further processing.
Key improvements:
narinfo hash prefixes and sanitize the hash against path traversal.
This hardening prevents potential security issues related to invalid or
malicious NAR URLs and ensures consistent behavior across the
application.