sanity check on did part

bluesky-social · Feb 13, 2024 · b400fae · b400fae
1 parent 9360e24
commit b400fae
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 1 deletion.
diff --git a/.github/workflows/build-and-push-pds-ghcr.yaml b/.github/workflows/build-and-push-pds-ghcr.yaml
@@ -3,7 +3,7 @@ on:
   push:
     branches:
       - main
-      - pds-node-v20
+      - pds-sanity-check
 env:
   REGISTRY: ghcr.io
   USERNAME: ${{ github.actor }}

diff --git a/lexicons/com/atproto/server/reserveSigningKey.json b/lexicons/com/atproto/server/reserveSigningKey.json
@@ -12,6 +12,7 @@
           "properties": {
             "did": {
               "type": "string",
+              "format": "did",
               "description": "The DID to reserve a key for."
             }
           }

diff --git a/packages/api/src/client/lexicons.ts b/packages/api/src/client/lexicons.ts
@@ -3643,6 +3643,7 @@ export const schemaDict = {
             properties: {
               did: {
                 type: 'string',
+                format: 'did',
                 description: 'The DID to reserve a key for.',
               },
             },

diff --git a/packages/bsky/src/lexicon/lexicons.ts b/packages/bsky/src/lexicon/lexicons.ts
@@ -3643,6 +3643,7 @@ export const schemaDict = {
             properties: {
               did: {
                 type: 'string',
+                format: 'did',
                 description: 'The DID to reserve a key for.',
               },
             },

diff --git a/packages/ozone/src/lexicon/lexicons.ts b/packages/ozone/src/lexicon/lexicons.ts
@@ -3643,6 +3643,7 @@ export const schemaDict = {
             properties: {
               did: {
                 type: 'string',
+                format: 'did',
                 description: 'The DID to reserve a key for.',
               },
             },

diff --git a/packages/pds/src/actor-store/index.ts b/packages/pds/src/actor-store/index.ts
@@ -1,4 +1,5 @@
 import path from 'path'
+import assert from 'assert'
 import fs from 'fs/promises'
 import * as crypto from '@atproto/crypto'
 import { Keypair, ExportableKeypair } from '@atproto/crypto'
@@ -148,6 +149,7 @@ export class ActorStore {
   async reserveKeypair(did?: string): Promise<string> {
     let keyLoc: string | undefined
     if (did) {
+      assertSafePathPart(did)
       keyLoc = path.join(this.reservedKeyDir, did)
       const maybeKey = await loadKey(keyLoc)
       if (maybeKey) {
@@ -259,3 +261,14 @@ export type ActorStoreTransactor = {
   record: RecordTransactor
   pref: PreferenceTransactor
 }
+
+function assertSafePathPart(part: string) {
+  const normalized = path.normalize(part)
+  assert(
+    part === normalized &&
+      !part.startsWith('.') &&
+      !part.includes('/') &&
+      !part.includes('\\'),
+    `unsafe path part: ${part}`,
+  )
+}
diff --git a/packages/pds/src/lexicon/lexicons.ts b/packages/pds/src/lexicon/lexicons.ts
@@ -3643,6 +3643,7 @@ export const schemaDict = {
             properties: {
               did: {
                 type: 'string',
+                format: 'did',
                 description: 'The DID to reserve a key for.',
               },
             },