GNU bug report logs - #71153
[PATCH] gnu: Validate substitute URLs for guix service.

Previous Next

Package: guix;

Reported by: Antero Mejr <mail <at> antr.me>

Date: Thu, 23 May 2024 22:35:02 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 71153 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#71153; Package guix. (Thu, 23 May 2024 22:35:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Antero Mejr <mail <at> antr.me>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Thu, 23 May 2024 22:35:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Antero Mejr <mail <at> antr.me>
To: bug-guix <at> gnu.org
Subject: [PATCH] gnu: Validate substitute URLs for guix service.
Date: Thu, 23 May 2024 22:33:42 +0000

* gnu/services/base.scm (guix-service-type): Validate `substitute-urls' field.

Change-Id: I11ed74304ab02ae550db5479be9f02601857f294
---
If you forget to write "https://" when specifying a substitute URL in
guix-configuration, the system will end up in a bad state where any
`guix pull` or `guix reconfigure` operation immediately fail. It's
difficult to fix, so validate the field to avoid the problem.

 gnu/services/base.scm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 85160bd3ab..da26b86c83 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -99,6 +99,7 @@ (define-module (gnu services base)
   #:use-module (srfi srfi-35)
   #:use-module (ice-9 match)
   #:use-module (ice-9 format)
+  #:use-module (web uri)
   #:re-export (user-processes-service-type        ;backwards compatibility
                %default-substitute-urls)
   #:export (fstab-service-type
@@ -2075,6 +2076,11 @@ (define (guix-extension-merge a b)
    (chroot-directories (append (guix-extension-chroot-directories a)
                                (guix-extension-chroot-directories b)))))
 
+(define (validate-substitute-url url-str)
+  (if (string->uri url-str)
+      url-str
+      (error "Not a valid substitute URL: " url-str)))
+
 (define guix-service-type
   (service-type
    (name 'guix)
@@ -2093,8 +2099,10 @@ (define guix-service-type
               (inherit config)
               (authorized-keys (append (guix-extension-authorized-keys extension)
                                        (guix-configuration-authorized-keys config)))
-              (substitute-urls (append (guix-extension-substitute-urls extension)
-                                       (guix-configuration-substitute-urls config)))
+              (substitute-urls
+               (map validate-substitute-url
+                    (append (guix-extension-substitute-urls extension)
+                            (guix-configuration-substitute-urls config))))
               (build-machines
                (and (or (guix-configuration-build-machines config)
                         (pair? (guix-extension-build-machines extension)))

base-commit: 9901416233867233192b63fde7f616751127b189
-- 
2.41.0
Information forwarded to bug-guix <at> gnu.org:
bug#71153; Package guix. (Fri, 24 May 2024 14:20:01 GMT) Full text and rfc822 format available.

Message #8 received at 71153 <at> debbugs.gnu.org (full text, mbox):

From: Richard Sent <richard <at> freakingpenguin.com>
To: Antero Mejr <mail <at> antr.me>
Cc: 71153 <at> debbugs.gnu.org
Subject: Re: bug#71153: [PATCH] gnu: Validate substitute URLs for guix service.
Date: Fri, 24 May 2024 10:19:32 -0400

Antero Mejr <mail <at> antr.me> writes:

> +(define (validate-substitute-url url-str)
> +  (if (string->uri url-str)
> +      url-str
> +      (error "Not a valid substitute URL: " url-str)))
> +

> +              (substitute-urls
> +               (map validate-substitute-url
> +                    (append (guix-extension-substitute-urls extension)
> +                            (guix-configuration-substitute-urls config))))

Should we instead create a validate-substitute-urls and use that as a
sanitizer for the guix-extension and guix-configuration records? This
would catch errors during record creation instead of service creation,
as well as still perform validation if anything else does or will use
those records in the future.

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.
Information forwarded to bug-guix <at> gnu.org:
bug#71153; Package guix. (Fri, 24 May 2024 18:28:01 GMT) Full text and rfc822 format available.

Message #11 received at 71153 <at> debbugs.gnu.org (full text, mbox):

From: Antero Mejr <mail <at> antr.me>
To: Richard Sent <richard <at> freakingpenguin.com>
Cc: 71153 <at> debbugs.gnu.org
Subject: Re: bug#71153: [PATCH] gnu: Validate substitute URLs for guix service.
Date: Fri, 24 May 2024 18:26:56 +0000

Richard Sent <richard <at> freakingpenguin.com> writes:

> Should we instead create a validate-substitute-urls and use that as a
> sanitizer for the guix-extension and guix-configuration records? This
> would catch errors during record creation instead of service creation,
> as well as still perform validation if anything else does or will use
> those records in the future.

The problem mentioned in the initial patch only occurs when the invalid
URLs are used in the Guix service type. Having them in the record isn't
a problem. I don't there there is a major difference in where the
validation occurs though.
This bug report was last modified 106 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.