P1 findings: Automation + Recipe/Bootstrap + Adopt/System (double-wait, parse_duration, checksums, path traversal, placeholder hashes, label cycles) #18
Description
Summary
Multiple P1-level issues found across automation, recipe/bootstrap, and adoption modules.
Findings
1. Double-wait in automation scheduler
- Location:
conary-core/src/automation/ - Issue: Scheduled tasks waited on twice, causing duplicate execution or deadlock.
- Fix: Track task completion state to prevent double-wait.
2. parse_duration accepts unbounded values
- Location:
conary-core/src/automation/ - Issue: Duration parsing accepts extremely large values without bounds checking.
- Fix: Add upper bound validation on parsed durations.
3. Recipe source checksums not verified
- Location:
conary-core/src/recipe/ - Issue: Downloaded source tarballs not verified against expected checksums before extraction.
- Fix: Verify checksums before extraction; abort on mismatch.
4. Path traversal in recipe extraction
- Location:
conary-core/src/recipe/ - Issue: Archive extraction doesn't validate paths, allowing
../traversal. - Fix: Validate all extracted paths stay within the build directory.
5. Placeholder hashes in bootstrap stages
- Location:
conary-core/src/bootstrap/ - Issue: Bootstrap stages use placeholder hash values that are never replaced with real ones.
- Fix: Compute and verify real hashes at each bootstrap stage.
6. Label dependency cycles
- Location:
conary-core/src/label.rs - Issue: Circular label dependencies not detected, causing infinite loops.
- Fix: Implement cycle detection in label resolution.