Compare commits

..

3 Commits

Author SHA1 Message Date
32fe234744 fix(flatfile): harden flat-file backend against injection and traversal attacks
Some checks failed
CI Code / Check coding style (pull_request) Failing after 29s
CI Code / Check spelling (pull_request) Failing after 18s
CI Code / Linux (debian) (pull_request) Successful in 7m3s
CI Code / Code Coverage (pull_request) Successful in 4m48s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m17s
CI Code / Linux (arch) (pull_request) Has been cancelled
Security fixes for 7 vulnerabilities in database_flatfile.c:

1. Path traversal via crafted JID (HIGH):
   _ff_jid_to_dir() now strips '/', '\' -> '_' and collapses '..' -> '__',
   preventing a malicious federated JID from escaping the log directory.

2. Log injection via unescaped message body (HIGH):
   Add _ff_escape_message()/_ff_unescape_message() -- escape \n, \r, \\
   in message text on write, unescape on read. Prevents remote contacts
   from injecting fake log lines with forged sender/timestamp/encryption.

3. Metadata field injection (HIGH):
   Add _ff_escape_meta_value()/_ff_unescape_meta_value() -- escape |, ],
   \\, \n, \r in stanza_id/archive_id/replace_id. Parser uses escape-aware
   _ff_find_unescaped_char() and _ff_split_meta() instead of strchr/strsplit.

4. Sender ": " parsing confusion (MEDIUM):
   Escape ": " -> "\: " in XMPP resource on write. Parser uses
   _ff_find_unescaped_colonspace() + _ff_unescape_sender_resource().

5. LMC correction chain cycle -> infinite loop (MEDIUM):
   Add visited hash-set and FF_MAX_LMC_DEPTH (100) limit to chain walker.

6. Unbounded getline() -> OOM (MEDIUM):
   Add FF_MAX_LINE_LEN (10 MB) cap in _ff_readline(); overlength lines
   are skipped with a warning. Replaces all char buf[8192]/fgets() sites
   with dynamic getline() + truncated-line detection at EOF.

7. Symlink attack + TOCTOU on file creation (MEDIUM):
   Replace fopen("a") with open(O_WRONLY|O_APPEND|O_CREAT|O_EXCL|O_NOFOLLOW)
   + fdopen() -- atomic new-file detection, symlink rejection via O_NOFOLLOW.
   _ff_ensure_dir() checks g_lstat() for symlinks. File permissions 0600
   set via open() mode, not post-hoc g_chmod().
2026-02-17 19:37:42 +03:00
10007530c1 feat: add flat-file database backend for message history
Add pluggable storage backend abstraction (vtable) to the database layer,
allowing selection between SQLite (default) and a new flat-file backend
that stores messages as human-readable plain text files.

New files:
- database_sqlite.c: extracted SQLite backend from database.c
- database_flatfile.c: plain text backend with tolerant parser,
  LMC correction chains, UTF-8/BOM/CRLF handling, integrity checks

Commands:
- /privacy logging flatfile — switch to flat-file backend
- /history verify [<jid>] — check integrity of stored history

Fixes:
- Add missing 'off' guard in flatfile backend
- Enable CHLOG/HISTORY prefs when switching to flatfile mode

Logs stored in ~/.local/share/profanity/flatlog/{account}/{contact}/{date}.log
Format: {ISO8601} [{type}|{enc}|id:{id}|corrects:{id}] {sender}: {message}

Updated: CHANGELOG, CONTRIBUTING.md, profrc.example, man page, cmd_defs,
Makefile.am, test stubs, functional test support (PROF_FLATFILE=1)
2026-02-17 19:37:42 +03:00
37ca2de308 ci: fix arch build
Some checks failed
CI Code / Check spelling (pull_request) Successful in 20s
CI Code / Check coding style (pull_request) Successful in 34s
CI Code / Linux (debian) (pull_request) Successful in 6m21s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m25s
CI Code / Code Coverage (pull_request) Successful in 13m14s
CI Code / Linux (arch) (pull_request) Successful in 7m26s
CI Code / Check spelling (push) Successful in 19s
CI Code / Check coding style (push) Successful in 30s
CI Code / Linux (debian) (push) Successful in 6m26s
CI Code / Linux (ubuntu) (push) Successful in 6m27s
CI Code / Code Coverage (push) Has been cancelled
CI Code / Linux (arch) (push) Has been cancelled
2026-02-17 16:30:52 +01:00

View File

@@ -1,9 +1,11 @@
FROM archlinux
FROM archlinux:latest
ENV TERM=xterm
ENV CC="ccache gcc"
RUN pacman -Syu --noconfirm
RUN pacman-key --refresh-keys
RUN pacman -Syyu --noconfirm
# reflector is optional - if it fails due to network issues, continue with default mirrorlist
RUN pacman -S --needed --noconfirm reflector && \
(reflector --latest 20 --protocol https --sort rate --save /etc/pacman.d/mirrorlist || true)