feat(version): Disallow using the "cmd" source for nvchecker

The [cmd](https://nvchecker.readthedocs.io/en/latest/usage.html#find-with-a-command)
source allows nvchecker to use a shell command line to get versions.
Using this source within `.nvchecker.toml` would result in `pkgctl
version {check,upgrade}` to run arbitrary commands which isn't
desirable, as it can lead to various issues (e.g. missing packages /
dependencies to run said commands or even executing malicious commands
in hypothetical worst case scenarios)

Component: pkgctl version check
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

doc/man/pkgctl-auth.1.asciidoc

@@ -3,7 +3,7 @@ pkgctl-auth(1)
 
 Name
 ----
-pkgctl-auth - Authenticate with serivces like GitLab.
+pkgctl-auth - Authenticate with services like GitLab.
 
 Synopsis
 --------

doc/man/pkgctl-version.1.asciidoc

@@ -39,6 +39,17 @@ placed in the `$XDG_CONFIG_HOME`/nvchecker` directory. This keyfile is
 used for providing the necessary authentication tokens required for
 accessing the GitHub or GitLab API.
 
+Combiner Source
+---------------
+
+To utilize the combiner source, the `pkgbase` section must be declared as the
+combiner source. Additionally, individual sections should be added using a
+quoted table key consisting of the `pkgbase` followed by the stage name,
+separated by double colons. For example: `["sudo:stage1"]`.
+
+This allows to chain different sources together into one result, or allow
+multi stage transformation of our source via multiple regex.
+
 Options
 -------
 

doc/man/pkgctl.1.asciidoc

@@ -49,6 +49,9 @@ pkgctl diff::
 pkgctl issue::
 	Work with GitLab packaging issues
 
+pkgctl license::
+	Check and manage package licenses
+
 pkgctl release::
 	Release step to commit, tag and upload build artifacts
 
@@ -70,6 +73,7 @@ pkgctl-build(1)
 pkgctl-db(1)
 pkgctl-diff(1)
 pkgctl-issue(1)
+pkgctl-license(1)
 pkgctl-release(1)
 pkgctl-repo(1)
 pkgctl-search(1)

src/lib/common.sh

@@ -54,7 +54,8 @@ export RSYNC_OPTS=(
   --human-readable
   --progress
   --partial
-  --partial-dir=.partial
+  # suffix the partial dir with the PID in order to avoid clashes
+  --partial-dir=.partial.$$
   --delay-updates
 )
 
@@ -441,3 +442,10 @@ relative_date_unit() {
 	done
 	printf "1 second"
 }
+
+
+# escapes regex metacharacters in a given string
+regex_escape() {
+	# shellcheck disable=SC2001,SC2016
+	sed 's/[\^.\[$()|*+?{\\]/\\&/g' <<<"$1"
+}

src/lib/license/check.sh

@@ -94,19 +94,19 @@ pkgctl_license_check() {
 		pushd "${path}" >/dev/null
 
 		if [[ ! -f PKGBUILD ]]; then
-			msg_error "${BOLD}${pkgbase}:${ALL_OFF} no PKGBUILD found"
+			msg_error "${BOLD}${path}:${ALL_OFF} no PKGBUILD found"
 			return 1
 		fi
 
-		# reset common PKGBUILD variables
-		unset pkgbase
-
-		# shellcheck source=contrib/makepkg/PKGBUILD.proto
-		if ! . ./PKGBUILD; then
-			msg_error "${BOLD}${pkgbase}:${ALL_OFF} failed to source PKGBUILD"
+		if [[ ! -f .SRCINFO ]]; then
+			msg_error "${BOLD}${path}:${ALL_OFF} no .SRCINFO found"
+			return 1
+		fi
+
+		if ! pkgbase=$(grep --max-count=1 --extended-regexp "pkgbase = (.+)" .SRCINFO | awk '{print $3}'); then
+			msg_error "${BOLD}${path}:${ALL_OFF} pkgbase not found in .SRCINFO"
 			return 1
 		fi
-		pkgbase=${pkgbase:-$pkgname}
 
 		if [[ ! -e LICENSE ]]; then
 			msg_error "${BOLD}${pkgbase}:${ALL_OFF} is missing the LICENSE file"

src/lib/license/setup.sh

@@ -188,6 +188,7 @@ path = [
     "README.md",
     "keys/**",
     ".SRCINFO",
+    ".gitignore",
     ".nvchecker.toml",
     "*.install",
     "*.sysusers",

src/lib/util/pkgbuild.sh

@@ -6,6 +6,8 @@
 DEVTOOLS_INCLUDE_UTIL_PKGBUILD_SH=1
 
 _DEVTOOLS_LIBRARY_DIR=${_DEVTOOLS_LIBRARY_DIR:-@pkgdatadir@}
+# shellcheck source=src/lib/common.sh
+source "${_DEVTOOLS_LIBRARY_DIR}"/lib/common.sh
 # shellcheck source=src/lib/util/makepkg.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/util/makepkg.sh
 
@@ -21,6 +23,8 @@ pkgbuild_set_pkgver() {
 	local new_pkgver=$1
 	local pkgver=${pkgver}
 
+	pkgver="$(regex_escape "${pkgver}")"
+
 	if [[ $(type -t pkgver) == function ]]; then
 		# TODO: check if die or warn, if we provide _commit _gitcommit setter maybe?
 		warning 'setting pkgver variable has no effect if the PKGBUILD has a pkgver() function'

src/lib/version/check.sh

@@ -304,6 +304,11 @@ get_upstream_version() {
 		return 1
 	fi
 
+	if ! output=$(jq --raw-output --exit-status 'select(.name == "'"${pkgbase}"'")' <<< "${output}"); then
+		printf "failed to select pkgbase result from output"
+		return 1
+	fi
+
 	if ! upstream_version=$(jq --raw-output --exit-status '.version' <<< "${output}"); then
 		printf "failed to select version from result"
 		return 1
@@ -346,10 +351,16 @@ nvchecker_check_config() {
 	fi
 
 	# check if the config contains any section other than pkgbase
-	if [[ -n ${pkgbase} ]] && property=$(grep --max-count=1 --perl-regexp "^\\[(?!\"?${pkgbase//+/\\+}\"?\\]).+\\]" < "${config}"); then
+	if [[ -n ${pkgbase} ]] && property=$(grep --max-count=1 --perl-regexp "^\\[(?!\"?${pkgbase//+/\\+}(:.+)?\"?\\]).+\\]" < "${config}"); then
 		printf "non-pkgbase section not supported in %s: %s" "${config}" "${property}"
 		return 1
 	fi
+
+	# check if the config is using the 'cmd' source
+	if grep --extended-regexp --quiet '^\s*source\s*=\s*["'\'']cmd["'\''].*' "${config}"; then
+		printf "using the 'cmd' source in %s is disallowed" "${config}"
+		return 1
+	fi
 }
 
 nvchecker_check_error() {