feat(version): Disallow using the "cmd" source for nvchecker

The [cmd](https://nvchecker.readthedocs.io/en/latest/usage.html#find-with-a-command)
source allows nvchecker to use a shell command line to get versions.
Using this source within `.nvchecker.toml` would result in `pkgctl
version {check,upgrade}` to run arbitrary commands which isn't
desirable, as it can lead to various issues (e.g. missing packages /
dependencies to run said commands or even executing malicious commands
in hypothetical worst case scenarios)

Component: pkgctl version check
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

contrib/completion/bash/devtools.in

@@ -150,6 +150,7 @@ _pkgctl_cmds=(
 	db
 	diff
 	issue
+	license
 	release
 	repo
 	search

doc/man/pkgctl-auth.1.asciidoc

@@ -3,7 +3,7 @@ pkgctl-auth(1)
 
 Name
 ----
-pkgctl-auth - Authenticate with serivces like GitLab.
+pkgctl-auth - Authenticate with services like GitLab.
 
 Synopsis
 --------

doc/man/pkgctl-version.1.asciidoc

@@ -39,6 +39,17 @@ placed in the `$XDG_CONFIG_HOME`/nvchecker` directory. This keyfile is
 used for providing the necessary authentication tokens required for
 accessing the GitHub or GitLab API.
 
+Combiner Source
+---------------
+
+To utilize the combiner source, the `pkgbase` section must be declared as the
+combiner source. Additionally, individual sections should be added using a
+quoted table key consisting of the `pkgbase` followed by the stage name,
+separated by double colons. For example: `["sudo:stage1"]`.
+
+This allows to chain different sources together into one result, or allow
+multi stage transformation of our source via multiple regex.
+
 Options
 -------
 

doc/man/pkgctl.1.asciidoc

@@ -49,6 +49,9 @@ pkgctl diff::
 pkgctl issue::
 	Work with GitLab packaging issues
 
+pkgctl license::
+	Check and manage package licenses
+
 pkgctl release::
 	Release step to commit, tag and upload build artifacts
 
@@ -70,6 +73,7 @@ pkgctl-build(1)
 pkgctl-db(1)
 pkgctl-diff(1)
 pkgctl-issue(1)
+pkgctl-license(1)
 pkgctl-release(1)
 pkgctl-repo(1)
 pkgctl-search(1)

src/commitpkg.in

@@ -155,7 +155,7 @@ if (( ${#needsversioning[*]} )); then
 		if [[ ! -f "${file}" ]]; then
 			continue
 		fi
-		if ! git ls-files --error-unmatch "$file"; then
+		if ! git ls-files --error-unmatch "$file" >/dev/null; then
 			die "%s is not under version control" "$file"
 		fi
 	done

src/lib/common.sh

@@ -54,7 +54,8 @@ export RSYNC_OPTS=(
   --human-readable
   --progress
   --partial
-  --partial-dir=.partial
+  # suffix the partial dir with the PID in order to avoid clashes
+  --partial-dir=.partial.$$
   --delay-updates
 )
 
@@ -441,3 +442,10 @@ relative_date_unit() {
 	done
 	printf "1 second"
 }
+
+
+# escapes regex metacharacters in a given string
+regex_escape() {
+	# shellcheck disable=SC2001,SC2016
+	sed 's/[\^.\[$()|*+?{\\]/\\&/g' <<<"$1"
+}

src/lib/license/check.sh

@@ -94,19 +94,19 @@ pkgctl_license_check() {
 		pushd "${path}" >/dev/null
 
 		if [[ ! -f PKGBUILD ]]; then
-			msg_error "${BOLD}${pkgbase}:${ALL_OFF} no PKGBUILD found"
+			msg_error "${BOLD}${path}:${ALL_OFF} no PKGBUILD found"
 			return 1
 		fi
 
-		# reset common PKGBUILD variables
+		if [[ ! -f .SRCINFO ]]; then
-		unset pkgbase
+			msg_error "${BOLD}${path}:${ALL_OFF} no .SRCINFO found"
-
+			return 1
-		# shellcheck source=contrib/makepkg/PKGBUILD.proto
+		fi
-		if ! . ./PKGBUILD; then
+
-			msg_error "${BOLD}${pkgbase}:${ALL_OFF} failed to source PKGBUILD"
+		if ! pkgbase=$(grep --max-count=1 --extended-regexp "pkgbase = (.+)" .SRCINFO | awk '{print $3}'); then
+			msg_error "${BOLD}${path}:${ALL_OFF} pkgbase not found in .SRCINFO"
 			return 1
 		fi
-		pkgbase=${pkgbase:-$pkgname}
 
 		if [[ ! -e LICENSE ]]; then
 			msg_error "${BOLD}${pkgbase}:${ALL_OFF} is missing the LICENSE file"

src/lib/license/setup.sh

@@ -188,10 +188,13 @@ path = [
     "README.md",
     "keys/**",
     ".SRCINFO",
+    ".gitignore",
     ".nvchecker.toml",
     "*.install",
     "*.sysusers",
+    "*sysusers.conf",
     "*.tmpfiles",
+    "*tmpfiles.conf",
     "*.logrotate",
     "*.pam",
     "*.service",

src/lib/util/pkgbuild.sh

@@ -6,6 +6,8 @@
 DEVTOOLS_INCLUDE_UTIL_PKGBUILD_SH=1
 
 _DEVTOOLS_LIBRARY_DIR=${_DEVTOOLS_LIBRARY_DIR:-@pkgdatadir@}
+# shellcheck source=src/lib/common.sh
+source "${_DEVTOOLS_LIBRARY_DIR}"/lib/common.sh
 # shellcheck source=src/lib/util/makepkg.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/util/makepkg.sh
 
@@ -21,6 +23,8 @@ pkgbuild_set_pkgver() {
 	local new_pkgver=$1
 	local pkgver=${pkgver}
 
+	pkgver="$(regex_escape "${pkgver}")"
+
 	if [[ $(type -t pkgver) == function ]]; then
 		# TODO: check if die or warn, if we provide _commit _gitcommit setter maybe?
 		warning 'setting pkgver variable has no effect if the PKGBUILD has a pkgver() function'

src/lib/version/check.sh

@@ -304,6 +304,11 @@ get_upstream_version() {
 		return 1
 	fi
 
+	if ! output=$(jq --raw-output --exit-status 'select(.name == "'"${pkgbase}"'")' <<< "${output}"); then
+		printf "failed to select pkgbase result from output"
+		return 1
+	fi
+
 	if ! upstream_version=$(jq --raw-output --exit-status '.version' <<< "${output}"); then
 		printf "failed to select version from result"
 		return 1
@@ -346,10 +351,16 @@ nvchecker_check_config() {
 	fi
 
 	# check if the config contains any section other than pkgbase
-	if [[ -n ${pkgbase} ]] && property=$(grep --max-count=1 --perl-regexp "^\\[(?!\"?${pkgbase//+/\\+}\"?\\]).+\\]" < "${config}"); then
+	if [[ -n ${pkgbase} ]] && property=$(grep --max-count=1 --perl-regexp "^\\[(?!\"?${pkgbase//+/\\+}(:.+)?\"?\\]).+\\]" < "${config}"); then
 		printf "non-pkgbase section not supported in %s: %s" "${config}" "${property}"
 		return 1
 	fi
+
+	# check if the config is using the 'cmd' source
+	if grep --extended-regexp --quiet '^\s*source\s*=\s*["'\'']cmd["'\''].*' "${config}"; then
+		printf "using the 'cmd' source in %s is disallowed" "${config}"
+		return 1
+	fi
 }
 
 nvchecker_check_error() {

src/makechrootpkg.in

@@ -19,7 +19,7 @@ shopt -s nullglob
 
 default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg)
 makepkg_args=("${default_makepkg_args[@]}")
-verifysource_args=(--syncdeps --noconfirm --log)
+verifysource_args=()
 chrootdir=
 passeddir=
 makepkg_user=
@@ -175,7 +175,7 @@ prepare_chroot() {
 	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
 	printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"
 
-	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest,verify/{gnupg,ssh}}
+	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}
 
 	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
 	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
@@ -247,10 +247,15 @@ _chrootnamcap() {
 	done
 }
 
-_download_sources() {
+download_sources() {
+	setup_workdir
+	chown "$makepkg_user:" "$WORKDIR"
+
 	# Ensure sources are downloaded
-	sudo -u builduser env SRCDEST="/srcdest" GNUPGHOME="/verify/gnupg" SSH_AUTH_SOCK="/verify/ssh" \
+	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
-		bash -c "cd /startdir; makepkg --config=/etc/makepkg.conf --verifysource -o ${verifysource_args[*]}"
+		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
+		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
+		die "Could not download sources."
 }
 
 move_logfiles() {
@@ -347,7 +352,6 @@ umask 0022
 ORIG_HOME=$HOME
 IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
 load_makepkg_config
-DEVTOOLS_GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg}"
 HOME=$ORIG_HOME
 
 # Use PKGBUILD directory if these don't exist
@@ -379,6 +383,8 @@ if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
 	exit 1
 fi
 
+download_sources
+
 prepare_chroot
 
 nspawn_build_args=(
@@ -390,11 +396,6 @@ nspawn_build_args=(
 	"${bindmounts_tmpfs[@]}"
 )
 
-arch-nspawn "$copydir" \
-	"${nspawn_build_args[@]}" --bind-ro="${DEVTOOLS_GNUPGHOME//:/\\:}:/verify/gnupg" --bind-ro="${SSH_AUTH_SOCK//:/\\:}:/verify/ssh" \
-	bash -c "$(declare -f _download_sources); verifysource_args=(${verifysource_args[*]}); _download_sources" ||
-	die "Could not download sources."
-
 if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"