From 256eb6c2fe224425c7be6488cc5505aa502db680 Mon Sep 17 00:00:00 2001
From: Luca Di Maio <luca.dimaio1@gmail.com>
Date: Tue, 19 Nov 2024 11:16:40 +0100
Subject: [PATCH 1/2] fix(pipeline): do preliminary checks for checksum invalid
 chars

Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
---
 pkg/build/pipeline.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/build/pipeline.go b/pkg/build/pipeline.go
index b1b140c62..5b936d0ac 100644
--- a/pkg/build/pipeline.go
+++ b/pkg/build/pipeline.go
@@ -23,6 +23,7 @@ import (
 	"os/signal"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 
@@ -140,6 +141,16 @@ func validateWith(data map[string]string, inputs map[string]config.Input) (map[s
 		if data[k] == "" {
 			data[k] = v.Default
 		}
+		if k == "expected-sha256" && data[k] != "" {
+			if !matchValidShaChars(data[k]) {
+				return data, fmt.Errorf("checksum input %q for pipeline contains invalid characters", k)
+			}
+		}
+		if k == "expected-sha512" && data[k] != "" {
+			if !matchValidShaChars(data[k]) {
+				return data, fmt.Errorf("checksum input %q for pipeline contains invalid characters", k)
+			}
+		}
 
 		if v.Required && data[k] == "" {
 			return data, fmt.Errorf("required input %q for pipeline is missing", k)
@@ -149,6 +160,11 @@ func validateWith(data map[string]string, inputs map[string]config.Input) (map[s
 	return data, nil
 }
 
+func matchValidShaChars(s string) bool {
+	match, _ := regexp.MatchString("^[a-fA-F0-9]+$", s)
+	return match
+}
+
 // Build a script to run as part of evalRun
 func buildEvalRunCommand(pipeline *config.Pipeline, debugOption rune, workdir string, fragment string) []string {
 	script := fmt.Sprintf(`set -e%c
@@ -275,7 +291,7 @@ func (r *pipelineRunner) maybeDebug(ctx context.Context, fragment string, envOve
 	signal.Ignore(os.Interrupt)
 
 	// Populate $HOME/.ash_history with the current command so you can hit up arrow to repeat it.
-	if err := os.WriteFile(filepath.Join(r.config.WorkspaceDir, ".ash_history"), []byte(fragment), 0644); err != nil {
+	if err := os.WriteFile(filepath.Join(r.config.WorkspaceDir, ".ash_history"), []byte(fragment), 0o644); err != nil {
 		return fmt.Errorf("failed to write history file: %w", err)
 	}
 

From bdc79c955c0da2ca24b37148927cb4dae0888100 Mon Sep 17 00:00:00 2001
From: Luca Di Maio <luca.dimaio1@gmail.com>
Date: Tue, 19 Nov 2024 11:51:49 +0100
Subject: [PATCH 2/2] fix(pipeline): check also checksum length

Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
---
 pkg/build/pipeline.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/build/pipeline.go b/pkg/build/pipeline.go
index 5b936d0ac..99d7bb8c0 100644
--- a/pkg/build/pipeline.go
+++ b/pkg/build/pipeline.go
@@ -145,11 +145,17 @@ func validateWith(data map[string]string, inputs map[string]config.Input) (map[s
 			if !matchValidShaChars(data[k]) {
 				return data, fmt.Errorf("checksum input %q for pipeline contains invalid characters", k)
 			}
+			if len(data[k]) != 64 {
+				return data, fmt.Errorf("checksum input %q for pipeline, invalid length", k)
+			}
 		}
 		if k == "expected-sha512" && data[k] != "" {
 			if !matchValidShaChars(data[k]) {
 				return data, fmt.Errorf("checksum input %q for pipeline contains invalid characters", k)
 			}
+			if len(data[k]) != 128 {
+				return data, fmt.Errorf("checksum input %q for pipeline, invalid length", k)
+			}
 		}
 
 		if v.Required && data[k] == "" {