sanity check on did part

2024-02-13 11:28:19 -05:00 · 2024-02-13 11:28:19 -05:00 · b400fae24e
commit b400fae24e
parent 9360e246b5
7 changed files with 19 additions and 1 deletions
--- a/.github/workflows/build-and-push-pds-ghcr.yaml
+++ b/.github/workflows/build-and-push-pds-ghcr.yaml
@ -3,7 +3,7 @@ on:
  push:
    branches:
      - main
-      - pds-node-v20
+      - pds-sanity-check
 env:
  REGISTRY: ghcr.io
  USERNAME: ${{ github.actor }}
--- a/lexicons/com/atproto/server/reserveSigningKey.json
+++ b/lexicons/com/atproto/server/reserveSigningKey.json
@ -12,6 +12,7 @@
          "properties": {
            "did": {
              "type": "string",
+              "format": "did",
              "description": "The DID to reserve a key for."
            }
          }
--- a/packages/api/src/client/lexicons.ts
+++ b/packages/api/src/client/lexicons.ts
@ -3643,6 +3643,7 @@ export const schemaDict = {
            properties: {
              did: {
                type: 'string',
+                format: 'did',
                description: 'The DID to reserve a key for.',
              },
            },
--- a/packages/bsky/src/lexicon/lexicons.ts
+++ b/packages/bsky/src/lexicon/lexicons.ts
@ -3643,6 +3643,7 @@ export const schemaDict = {
            properties: {
              did: {
                type: 'string',
+                format: 'did',
                description: 'The DID to reserve a key for.',
              },
            },
--- a/packages/ozone/src/lexicon/lexicons.ts
+++ b/packages/ozone/src/lexicon/lexicons.ts
@ -3643,6 +3643,7 @@ export const schemaDict = {
            properties: {
              did: {
                type: 'string',
+                format: 'did',
                description: 'The DID to reserve a key for.',
              },
            },
--- a/packages/pds/src/actor-store/index.ts
+++ b/packages/pds/src/actor-store/index.ts
@ -1,4 +1,5 @@
 import path from 'path'
+import assert from 'assert'
 import fs from 'fs/promises'
 import * as crypto from '@atproto/crypto'
 import { Keypair, ExportableKeypair } from '@atproto/crypto'
@ -148,6 +149,7 @@ export class ActorStore {
  async reserveKeypair(did?: string): Promise<string> {
    let keyLoc: string | undefined
    if (did) {
+      assertSafePathPart(did)
      keyLoc = path.join(this.reservedKeyDir, did)
      const maybeKey = await loadKey(keyLoc)
      if (maybeKey) {
@ -259,3 +261,14 @@ export type ActorStoreTransactor = {
  record: RecordTransactor
  pref: PreferenceTransactor
 }
+
+function assertSafePathPart(part: string) {
+  const normalized = path.normalize(part)
+  assert(
+    part === normalized &&
+      !part.startsWith('.') &&
+      !part.includes('/') &&
+      !part.includes('\\'),
+    `unsafe path part: ${part}`,
+  )
+}
--- a/packages/pds/src/lexicon/lexicons.ts
+++ b/packages/pds/src/lexicon/lexicons.ts
@ -3643,6 +3643,7 @@ export const schemaDict = {
            properties: {
              did: {
                type: 'string',
+                format: 'did',
                description: 'The DID to reserve a key for.',
              },
            },