Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extra internal validation #169

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Extra internal validation #169

wants to merge 4 commits into from

Conversation

DemiMarie
Copy link
Contributor

This adds some extra internal validation.

@marmarek
Copy link
Member

CI says you broke legitimate case here...

@DemiMarie
Prevent colon in username from causing problems
db5be06 
Previously it could produce invalid qrexec commands.

A username ending with ":nogui" is allowed in the policy engine
response, though not on the command line.  This is because it may be
used by some to work around a limitation of the Windows agent: the
Windows agent handles

    user:nogui:QUBESRPC SERVICE+ARG SOURCE

differently than it handles

    user:QUBESRPC SERVICE+ARG SOURCE

and (unlike the Linux agent) this difference cannot be worked around by
changing service configuration.  R5.0 will block this as well.
@DemiMarie
Ensure that generated commands are well-formed
0527466 
If the target domain passed on the command line or the normalized target
returned by the policy engine contain a space, ill-formed command lines
would be produced.

To fix this, ensure that both the VM name passed on the command line and
the normalized target returned by the policy engine are non-empty and
contain only printable ASCII characters.  The actual set of valid
characters is smaller, but the input is trusted, so be conservative to
ensure there are no regressions or maintenance problems.  Together with
the previous commit, this change ensures that all commands generated by
qrexec-daemon will be parsed correctly by parse_qubes_rpc_command().

This also ensures that a newline in the VM name passed on the command
line does not result in a malformed request being passed to the policy
daemon.
@DemiMarie
Avoid using atoi() to parse integers
27639c0 
Use a validating function instead.
@DemiMarie
Stricter validation of VM names and normalized targets
f57261b 
It turns out that the Windows agent uses "|" as an internal delimiter,
and programs under both Linux and Windows may assume that there are no
forbidden characters in $QREXEC_REMOTE_DOMAIN and either
$QREXEC_REQUESTED_TARGET_NAME or $QREXEC_REQUESTED_TARGET_KEYWORD.  Only
allow expected characters.
@marmarek
Copy link
Member

PipelineRetry

@codecov Codecov
Copy link

codecov bot commented Jun 24, 2024

Codecov Report

Attention: Patch coverage is 77.04918% with 14 lines in your changes missing coverage. Please review.

Project coverage is 77.98%. Comparing base (7a2155d) to head (f57261b).

Files Patch % Lines
daemon/qrexec-daemon.c 44.44% 10 Missing ⚠️
daemon/qrexec-daemon-common.c 71.42% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #169      +/-   ##
==========================================
+ Coverage   77.96%   77.98%   +0.01%     
==========================================
  Files          54       54              
  Lines        9630     9674      +44     
==========================================
+ Hits         7508     7544      +36     
- Misses       2122     2130       +8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DemiMarie @marmarek