Fix Zip Slip vulnerability in fetcher, fix NoneType crash in validator, fix wrong board mappings in sdk_generator (rp2040, vexpress), add null-safety checks and encoding params

Author: srpatcha

ebuild/eos_ai/eos_validator.py

@@ -92,12 +92,19 @@ def validate_boot(self, path: str) -> ValidationResult:
 
     def _validate_board(self, path: Path, result: ValidationResult):
         try:
-            data = yaml.safe_load(path.read_text())
+            data = yaml.safe_load(path.read_text(encoding="utf-8"))
         except Exception as e:
             result.add_error("board.yaml", "", f"Parse error: {e}")
             return
 
+        if not isinstance(data, dict):
+            result.add_error("board.yaml", "", "Invalid format: expected YAML mapping")
+            return
+
         board = data.get("board", data)
+        if not isinstance(board, dict):
+            result.add_error("board.yaml", "board", "Board section must be a mapping")
+            return
 
         if not board.get("name"):
             result.add_error("board.yaml", "name", "Board name is required")
@@ -117,12 +124,19 @@ def _validate_board(self, path: Path, result: ValidationResult):
 
     def _validate_boot(self, path: Path, result: ValidationResult):
         try:
-            data = yaml.safe_load(path.read_text())
+            data = yaml.safe_load(path.read_text(encoding="utf-8"))
         except Exception as e:
             result.add_error("boot.yaml", "", f"Parse error: {e}")
             return
 
+        if not isinstance(data, dict):
+            result.add_error("boot.yaml", "", "Invalid format: expected YAML mapping")
+            return
+
         boot = data.get("boot", data)
+        if not isinstance(boot, dict):
+            result.add_error("boot.yaml", "boot", "Boot section must be a mapping")
+            return
 
         if not boot.get("board"):
             result.add_error("boot.yaml", "board", "Board name is required")
@@ -156,11 +170,27 @@ def _validate_boot(self, path: Path, result: ValidationResult):
 
     def _validate_build(self, path: Path, result: ValidationResult):
         try:
-            data = yaml.safe_load(path.read_text())
+            data = yaml.safe_load(path.read_text(encoding="utf-8"))
         except Exception as e:
             result.add_error("build.yaml", "", f"Parse error: {e}")
             return
 
+        if not isinstance(data, dict):
+            result.add_error("build.yaml", "", "Invalid format: expected YAML mapping")
+            return
+
         project = data.get("project", {})
+        if not isinstance(project, dict):
+            result.add_error("build.yaml", "project", "Project section must be a mapping")
+            return
+
         if not project.get("name"):
             result.add_error("build.yaml", "project.name", "Project name is required")
+
+        targets = data.get("targets", [])
+        if not targets:
+            result.add_warning("build.yaml", "targets", "No build targets defined")
+
+        toolchain = data.get("toolchain", {})
+        if isinstance(toolchain, dict) and not toolchain.get("compiler"):
+            result.add_warning("build.yaml", "toolchain.compiler", "Compiler not specified")

ebuild/packages/fetcher.py

@@ -55,7 +55,17 @@ def fetch(self, recipe: PackageRecipe, extract_to: str | Path) -> Path:
 
     def _download(self, recipe: PackageRecipe) -> Path:
         """Download the source archive if not already cached."""
+        if not recipe.url:
+            raise FetchError(f"No URL specified for package {recipe.name}")
+        if not recipe.url.startswith(("http://", "https://")):
+            raise FetchError(
+                f"Invalid URL scheme for {recipe.name}: {recipe.url} "
+                f"(only http:// and https:// are allowed)"
+            )
+
         filename = self._archive_filename(recipe)
+        if not filename:
+            raise FetchError(f"Could not derive filename from URL: {recipe.url}")
         archive_path = self.download_dir / filename
 
         if archive_path.exists():
@@ -108,6 +118,13 @@ def _extract(self, archive_path: Path, extract_to: Path) -> None:
                     tar.extractall(extract_to, filter="data")
             elif name.endswith(".zip"):
                 with zipfile.ZipFile(archive_path, "r") as zf:
+                    for member in zf.namelist():
+                        member_path = Path(extract_to) / member
+                        resolved = member_path.resolve()
+                        if not str(resolved).startswith(str(Path(extract_to).resolve())):
+                            raise FetchError(
+                                f"Zip path traversal detected: {member}"
+                            )
                     zf.extractall(extract_to)
             else:
                 raise FetchError(f"Unsupported archive format: {archive_path.name}")