fix(packages): validate debian distribution and component names (#38116)

**Newline injection into the Debian Release and Packages indices** The `distribution` and `component` come straight from the request path and are written line by line into the generated `Release` and `Packages` files (the `Suite`/`Codename`/`Components` lines and the `Filename: pool/<distribution>/<component>/...` line), but `UploadPackageFile` only checked they were non-empty. `ctx.PathParam` url-decodes the segment, so an encoded newline such as `main%0AInjected-Field: x` is accepted, stored and then re-emitted for that distribution, which lets an authenticated uploader forge extra fields in the index apt consumes. Restricted both values to a conservative name pattern in the handler, since that is the layer that accepts them; this should also keep the pool paths well formed. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-06-29 14:16:26 +02:00 · 2026-06-29 12:20:22 +05:30 · 2026-06-29 12:20:22 +05:30 · 0c67849e68
commit 0c67849e68
parent 762c674bc5
3 changed files with 79 additions and 24 deletions
--- a/modules/packages/debian/metadata.go
+++ b/modules/packages/debian/metadata.go
@ -11,6 +11,7 @@ import (
 	"net/mail"
 	"regexp"
 	"strings"
+	"sync"

 	"gitea.dev/modules/util"
 	"gitea.dev/modules/validation"
@ -36,18 +37,36 @@ const (
 	controlTar = "control.tar"
 )

-var (
-	ErrMissingControlFile     = util.NewInvalidArgumentErrorf("control file is missing")
-	ErrUnsupportedCompression = util.NewInvalidArgumentErrorf("unsupported compression algorithm")
-	ErrInvalidName            = util.NewInvalidArgumentErrorf("package name is invalid")
-	ErrInvalidVersion         = util.NewInvalidArgumentErrorf("package version is invalid")
-	ErrInvalidArchitecture    = util.NewInvalidArgumentErrorf("package architecture is invalid")
+var GlobalVars = sync.OnceValue(func() (ret struct {
+	ErrMissingControlFile     error
+	ErrUnsupportedCompression error
+	ErrInvalidName            error
+	ErrInvalidVersion         error
+	ErrInvalidArchitecture    error
+
+	namePattern    *regexp.Regexp
+	versionPattern *regexp.Regexp
+	symbolPattern  *regexp.Regexp
+},
+) {
+	ret.ErrMissingControlFile = util.NewInvalidArgumentErrorf("control file is missing")
+	ret.ErrUnsupportedCompression = util.NewInvalidArgumentErrorf("unsupported compression algorithm")
+	ret.ErrInvalidName = util.NewInvalidArgumentErrorf("package name is invalid")
+	ret.ErrInvalidVersion = util.NewInvalidArgumentErrorf("package version is invalid")
+	ret.ErrInvalidArchitecture = util.NewInvalidArgumentErrorf("package architecture is invalid")

 	// https://www.debian.org/doc/debian-policy/ch-controlfields.html#source
-	namePattern = regexp.MustCompile(`\A[a-z0-9][a-z0-9+-.]+\z`)
+	ret.namePattern = regexp.MustCompile(`\A[a-z0-9][a-z0-9+-.]+\z`)
 	// https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
-	versionPattern = regexp.MustCompile(`\A(?:(0|[1-9][0-9]*):)?[a-zA-Z0-9.+~]+(?:-[a-zA-Z0-9.+-~]+)?\z`)
-)
+	ret.versionPattern = regexp.MustCompile(`\A(?:(0|[1-9][0-9]*):)?[a-zA-Z0-9.+~]+(?:-[a-zA-Z0-9.+-~]+)?\z`)
+
+	// distribution and component are taken from the request path and written
+	// verbatim into the generated line-based Release and Packages indices (and
+	// into the pool/<distribution>/<component> paths referenced from them), so
+	// they must be restricted to a character set that cannot break that format.
+	ret.symbolPattern = regexp.MustCompile(`\A[a-zA-Z0-9][a-zA-Z0-9.~+_-]*\z`)
+	return ret
+})

 type Package struct {
 	Name         string
@ -64,6 +83,10 @@ type Metadata struct {
 	Dependencies []string `json:"dependencies,omitempty"`
 }

+func IsValidDistributionOrComponent(s string) bool {
+	return GlobalVars().symbolPattern.MatchString(s)
+}
+
 // ParsePackage parses the Debian package file
 // https://manpages.debian.org/bullseye/dpkg-dev/deb.5.en.html
 func ParsePackage(r io.Reader) (*Package, error) {
@ -109,7 +132,7 @@ func ParsePackage(r io.Reader) (*Package, error) {

 				inner = zr
 			default:
-				return nil, ErrUnsupportedCompression
+				return nil, GlobalVars().ErrUnsupportedCompression
 			}

 			tr := tar.NewReader(inner)
@ -133,7 +156,7 @@ func ParsePackage(r io.Reader) (*Package, error) {
 		}
 	}

-	return nil, ErrMissingControlFile
+	return nil, GlobalVars().ErrMissingControlFile
 }

 // ParseControlFile parses a Debian control file to retrieve the metadata
@ -210,14 +233,14 @@ func ParseControlFile(r io.Reader) (*Package, error) {
 		return nil, err
 	}

-	if !namePattern.MatchString(p.Name) {
-		return nil, ErrInvalidName
+	if !GlobalVars().namePattern.MatchString(p.Name) {
+		return nil, GlobalVars().ErrInvalidName
 	}
-	if !versionPattern.MatchString(p.Version) {
-		return nil, ErrInvalidVersion
+	if !GlobalVars().versionPattern.MatchString(p.Version) {
+		return nil, GlobalVars().ErrInvalidVersion
 	}
 	if p.Architecture == "" {
-		return nil, ErrInvalidArchitecture
+		return nil, GlobalVars().ErrInvalidArchitecture
 	}

 	dependencies := strings.Split(depends.String(), ",")
--- a/modules/packages/debian/metadata_test.go
+++ b/modules/packages/debian/metadata_test.go
@ -49,7 +49,7 @@ func TestParsePackage(t *testing.T) {

 		p, err := ParsePackage(data)
 		assert.Nil(t, p)
-		assert.ErrorIs(t, err, ErrMissingControlFile)
+		assert.ErrorIs(t, err, GlobalVars().ErrMissingControlFile)
 	})

 	t.Run("Compression", func(t *testing.T) {
@ -58,7 +58,7 @@ func TestParsePackage(t *testing.T) {

 			p, err := ParsePackage(data)
 			assert.Nil(t, p)
-			assert.ErrorIs(t, err, ErrUnsupportedCompression)
+			assert.ErrorIs(t, err, GlobalVars().ErrUnsupportedCompression)
 		})

 		var buf bytes.Buffer
@ -141,7 +141,7 @@ func TestParseControlFile(t *testing.T) {
 		for _, name := range []string{"", "-cd"} {
 			p, err := ParseControlFile(buildContent(name, packageVersion, packageArchitecture))
 			assert.Nil(t, p)
-			assert.ErrorIs(t, err, ErrInvalidName)
+			assert.ErrorIs(t, err, GlobalVars().ErrInvalidName)
 		}
 	})

@ -149,14 +149,14 @@ func TestParseControlFile(t *testing.T) {
 		for _, version := range []string{"", "1-", ":1.0", "1_0"} {
 			p, err := ParseControlFile(buildContent(packageName, version, packageArchitecture))
 			assert.Nil(t, p)
-			assert.ErrorIs(t, err, ErrInvalidVersion)
+			assert.ErrorIs(t, err, GlobalVars().ErrInvalidVersion)
 		}
 	})

 	t.Run("InvalidArchitecture", func(t *testing.T) {
 		p, err := ParseControlFile(buildContent(packageName, packageVersion, ""))
 		assert.Nil(t, p)
-		assert.ErrorIs(t, err, ErrInvalidArchitecture)
+		assert.ErrorIs(t, err, GlobalVars().ErrInvalidArchitecture)
 	})

 	t.Run("Valid", func(t *testing.T) {
@ -200,3 +200,35 @@ func TestParseControlFile(t *testing.T) {
 		assert.NotContains(t, p.Control, "evil.deb")
 	})
 }
+
+func TestValidateDistributionOrComponent(t *testing.T) {
+	bad := []string{
+		"",
+		".",
+		"..",
+		"-stable",
+		".hidden",
+		"a/b",
+		"a b",
+		"bookworm\nSigned-By: evil",
+		"main\nFilename: pool/x",
+		"a\tb",
+	}
+	for _, name := range bad {
+		assert.False(t, IsValidDistributionOrComponent(name), "bad=%q", name)
+	}
+
+	good := []string{
+		"stable",
+		"bookworm",
+		"bookworm-backports",
+		"stable-updates",
+		"main",
+		"non-free-firmware",
+		"a",
+		"1",
+	}
+	for _, name := range good {
+		assert.True(t, IsValidDistributionOrComponent(name), "good=%q", name)
+	}
+}
--- a/routers/api/packages/debian/debian.go
+++ b/routers/api/packages/debian/debian.go
@ -120,9 +120,9 @@ func GetRepositoryFileByHash(ctx *context.Context) {
 }

 func UploadPackageFile(ctx *context.Context) {
-	distribution := strings.TrimSpace(ctx.PathParam("distribution"))
-	component := strings.TrimSpace(ctx.PathParam("component"))
-	if distribution == "" || component == "" {
+	distribution := ctx.PathParam("distribution")
+	component := ctx.PathParam("component")
+	if !debian_module.IsValidDistributionOrComponent(distribution) || !debian_module.IsValidDistributionOrComponent(component) {
 		apiError(ctx, http.StatusBadRequest, "invalid distribution or component")
 		return
 	}