dbus: rauc: only install bundles from primary channel

hnez · hnez · commit bd41a30cdb02 · 2025-04-02T18:29:44.000+02:00
Allowing arbitrary URL in the install request always felt wrong.
Only allow installations from the primary update channel.
diff --git a/src/dbus/rauc.rs b/src/dbus/rauc.rs
@@ -394,33 +394,50 @@ impl Rauc {
         })?;
 
         let conn_task = conn.clone();
+        let channels = inst.channels.clone();
         let (mut install_stream, _) = inst.install.clone().subscribe_unbounded();
 
         // Forward the "install" topic from the broker framework to RAUC
         wtb.spawn_task("rauc-forward-install", async move {
             let proxy = InstallerProxy::new(&conn_task).await.unwrap();
 
             while let Some(update_request) = install_stream.next().await {
-                let url = match update_request.url {
-                    Some(url) => url,
-                    None => continue,
+                let channels = match channels.try_get() {
+                    Some(chs) => chs,
+                    None => {
+                        warn!("Got install request with no channels available yet");
+                        continue;
+                    }
                 };
 
-                // Poor-mans validation. It feels wrong to let someone point to any
-                // file on the TAC from the web interface.
-                if url.starts_with("http://") || url.starts_with("https://") {
-                    let manifest_hash: Option<zbus::zvariant::Value> =
-                        update_request.manifest_hash.map(|mh| mh.into());
-
-                    let mut args = HashMap::new();
-
-                    if let Some(manifest_hash) = &manifest_hash {
-                        args.insert("require-manifest-hash", manifest_hash);
+                let primary = match channels.primary() {
+                    Some(primary) => primary,
+                    None => {
+                        warn!("Got install request with no primary channel configured");
+                        continue;
                     }
+                };
 
-                    if let Err(e) = proxy.install_bundle(&url, args).await {
-                        error!("Failed to install bundle: {}", e);
+                let url = match &update_request.url {
+                    None => &primary.url,
+                    Some(url) if url == &primary.url => &primary.url,
+                    Some(_) => {
+                        warn!("Got install request with URL not matching primary channel URL");
+                        continue;
                     }
+                };
+
+                let manifest_hash: Option<zbus::zvariant::Value> =
+                    update_request.manifest_hash.map(|mh| mh.into());
+
+                let mut args = HashMap::new();
+
+                if let Some(manifest_hash) = &manifest_hash {
+                    args.insert("require-manifest-hash", manifest_hash);
+                }
+
+                if let Err(e) = proxy.install_bundle(url, args).await {
+                    error!("Failed to install bundle: {}", e);
                 }
             }
 
diff --git a/src/dbus/rauc/update_channels.rs b/src/dbus/rauc/update_channels.rs
@@ -173,4 +173,9 @@ impl Channels {
     pub fn into_vec(self) -> Vec<Channel> {
         self.0
     }
+
+    #[cfg(not(feature = "demo_mode"))]
+    pub(super) fn primary(&self) -> Option<&Channel> {
+        self.0.iter().find(|ch| ch.primary)
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -173,4 +173,9 @@ impl Channels {`
`173`	`173`	`pub fn into_vec(self) -> Vec<Channel> {`
`174`	`174`	`self.0`
`175`	`175`	`}`
	`176`	`+`
	`177`	`+ #[cfg(not(feature = "demo_mode"))]`
	`178`	`+ pub(super) fn primary(&self) -> Option<&Channel> {`
	`179`	`+ self.0.iter().find(\|ch\| ch.primary)`
	`180`	`+ }`
`176`	`181`	`}`