fix: unstrusted input marking and sanitization

salt/sys-git/files/server/rpc/qusal.GitInit

@@ -6,53 +6,61 @@
 
 set -eu
 
-base_path="$HOME/src"
-repo="$QREXEC_SERVICE_ARGUMENT"
-#origin="$QREXEC_REMOTE_DOMAIN"
-
 die(){
-  echo "error: $1" >&2
+  echo "error: ${1}" >&2
   exit 1
 }
 
-fail_invalid_name(){
-  if ! (echo "$repo" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$"); then
-    die "Invalid repository. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot."
-  fi
-}
-
 if ! command -v git >/dev/null; then
   die "Command not found: git"
 fi
 
-fail_invalid_name
-case "$repo" in
+untrusted_repo="${QREXEC_SERVICE_ARGUMENT}"
+
+if test -z "${untrusted_repo}"; then
+  die "Repository name is empty"
+fi
+
+if ! (echo "${untrusted_repo}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
+then
+  die "Forbidden characters in repository name. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot"
+fi
+
+## Length arbitrarily set.
+if test "${#untrusted_repo}" -gt 128; then
+  die "Repository name is too long: ${#untrusted_repo}"
+fi
+
+base_path="$HOME/src"
+repo="${untrusted_repo}"
+
+case "${repo}" in
   *".git") ;;
-  *) repo="$repo.git";;
+  *) repo="${repo}.git";;
 esac
 
-path="$base_path/$repo"
+path="${base_path}/${repo}"
 action="${0##*.Git}"
 
-case "$action" in
+case "${action}" in
   Fetch) service=git-upload-pack;;
   Push)  service=git-receive-pack;;
   Init)  service="git init --bare";;
   *) die "Invalid RPC name: ${0##*/}";;
 esac
 
-if test "$action" != "Init"; then
-  test -d "$path" || die "Directory doesn't exist: $repo"
-  git -C "$path" rev-parse >/dev/null 2>&1 || die "Not a git repository: $repo"
-  is_bare="$(git -C "$path" rev-parse --is-bare-repository)"
-  test "${is_bare}" = "true" || die "Not a bare repository: $repo"
+if test "${action}" != "Init"; then
+  test -d "${path}" || die "Directory doesn't exist: ${repo}"
+  git -C "${path}" rev-parse >/dev/null 2>&1 || die "Not a git repository: ${repo}"
+  is_bare="$(git -C "${path}" rev-parse --is-bare-repository)"
+  test "${is_bare}" = "true" || die "Not a bare repository: ${repo}"
 fi
 
-if ! test -d "$base_path"; then
+if ! test -d "${base_path}"; then
   # shellcheck disable=SC2174
-  mkdir -m 0700 -p "$base_path" >/dev/null 2>&1 ||
-    die "Cannot create directory: $base_path"
+  mkdir -m 0700 -p "${base_path}" >/dev/null 2>&1 ||
+    die "Cannot create directory: ${base_path}"
 fi
 
 # shellcheck disable=SC2086
-exec $service -- "$path"
+exec ${service} -- "${path}"

salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent

@@ -6,9 +6,25 @@
 
 set -eu
 
-#origin="$QREXEC_REMOTE_DOMAIN"
-agent="$QREXEC_SERVICE_ARGUMENT"
+untrusted_agent="$QREXEC_SERVICE_ARGUMENT"
+
+if test -z "${untrusted_agent}"; then
+  echo "Agent name is empty" >&2
+  exit 1
+fi
+
+if ! (echo "${untrusted_agent}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
+then
+  die "Forbidden characters in agent name. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot"
+fi
+
+## Length arbitrarily set.
+if test "${#untrusted_agent}" -gt 128; then
+  die "Repository name is too long: ${#untrusted_agent}"
+fi
+
+agent="${untrusted_agent}"
 socket="/tmp/qubes-ssh-agent/${agent}.sock"
 
 qvm-ssh-agent add "${agent}" >/dev/null
-exec socat STDIO UNIX-CLIENT:"$socket"
+exec socat STDIO UNIX-CLIENT:"${socket}"

salt/sys-syncthing/files/server/rpc/qusal.Syncthing

@@ -4,4 +4,6 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+set -eu
+
 exec socat STDIO TCP:localhost:22000