thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions
banger/internal/daemon
History
Thales Maciel caa6a2b996
model: validate VM names as DNS labels at CLI + daemon 
A VM name flows into five places that all have narrower grammars
than "arbitrary string":

  - the guest's /etc/hostname  (vm_disk.patchRootOverlay)
  - the guest's /etc/hosts      (same)
  - the <name>.vm DNS record    (vmdns.RecordName)
  - the kernel command line     (system.BuildBootArgs*)
  - VM-dir file-path fragments  (layout.VMsDir/<id>, etc.)

Nothing in the chain was validating the input. A name with
whitespace, newline, dot, slash, colon, or = would produce broken
hostnames, weird DNS labels, smuggled kernel cmdline tokens, or
(in the worst case) surprising traversal through the on-disk
layout. Not host shell injection — we already avoid shelling out
with the raw name — but a real correctness and supportability bug.

New: model.ValidateVMName. Rules:

  - 1..63 chars (DNS label max per RFC 1123; also a comfortable
    /etc/hostname cap)
  - lowercase ASCII letters, digits, '-' only
  - no leading or trailing '-'
  - no normalization — the name is the user-visible identifier
    (store key, `ssh <name>.vm`, `vm show`); silently rewriting
    "MyVM" → "myvm" would hand the user back something different
    than they typed

Called from two places:

  - internal/cli/commands_vm.go vmCreateParamsFromFlags — rejects
    bad `--name` values before any RPC. Empty name still passes
    through so the daemon can generate one.
  - internal/daemon/vm_create.go reserveVM — defense in depth for
    any non-CLI RPC caller (SDK, direct JSON over the socket).

Tests:

  - internal/model/vm_name_test.go — exhaustive character-class
    matrix (space, newline, tab, dot, slash, colon, equals, quote,
    control chars, unicode letters, uppercase, leading/trailing
    hyphen, over-length, max-length-exact, digits-only).
  - internal/cli TestVMCreateParamsFromFlagsRejectsInvalidName —
    CLI wire-through + empty-name passthrough.
  - internal/daemon TestReserveVMRejectsInvalidName — daemon
    defense-in-depth (including `box/../evil` path-traversal).
  - scripts/smoke.sh — end-to-end rejection + no-leaked-row
    assertion.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 14:06:40 -03:00
..
dmsnap Extract opstate and dmsnap into subpackages 2026-04-15 16:02:43 -03:00
fcproc fcproc: targeted tests for waitForPath + EnsureSocketAccess error paths 2026-04-22 17:49:42 -03:00
imagemgr Remove image build --from-image; doctor treats catalog images as OK 2026-04-18 15:54:29 -03:00
opstate coverage: medium batch — hostnat runner, store guest-sessions, daemon helpers 2026-04-18 18:03:37 -03:00
workspace seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
ARCHITECTURE.md docs: resync package docs, AGENTS, and kernel-catalog with current code 2026-04-22 13:01:11 -03:00
autopull_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
capabilities.go daemon split (7/n): narrow capability interfaces, wire deps at construction 2026-04-21 15:59:09 -03:00
capabilities_test.go daemon split (7/n): narrow capability interfaces, wire deps at construction 2026-04-21 15:59:09 -03:00
concurrency_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
daemon.go vmservice: delete dead guestWaitForSSH + guestDial seams 2026-04-22 12:45:27 -03:00
daemon_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
daemon_testing_test.go test: add newTestDaemon harness + options 2026-04-22 17:45:43 -03:00
dns_routing.go seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
dns_routing_test.go seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
doc.go docs: resync package docs, AGENTS, and kernel-catalog with current code 2026-04-22 13:01:11 -03:00
doctor.go make smoke: end-to-end boot suite with coverage from real VM runs 2026-04-22 18:59:57 -03:00
doctor_test.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
fake_firecracker_test.go remove vm session feature 2026-04-20 12:47:58 -03:00
fastpath_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
guest_ssh.go remove vm session feature 2026-04-20 12:47:58 -03:00
host_network.go seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
image_seed.go daemon split (2/5): extract *ImageService service 2026-04-20 20:30:32 -03:00
image_service.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
images.go daemon split (2/5): extract *ImageService service 2026-04-20 20:30:32 -03:00
images_helpers_test.go coverage: medium batch — hostnat runner, store guest-sessions, daemon helpers 2026-04-18 18:03:37 -03:00
images_pull.go daemon split (2/5): extract *ImageService service 2026-04-20 20:30:32 -03:00
images_pull_bundle_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
images_pull_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
kernels.go daemon split (2/5): extract *ImageService service 2026-04-20 20:30:32 -03:00
kernels_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
lifecycle_flow_test.go test: end-to-end VMService lifecycle flow harness 2026-04-22 17:55:04 -03:00
logger.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
logger_test.go seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
nat.go daemon split (1/5): extract *HostNetwork service 2026-04-20 20:11:46 -03:00
nat_capability_test.go tests: targeted coverage for doctor, workspace rejections, and nat capability 2026-04-22 12:58:12 -03:00
nat_test.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
open_close_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
ports.go daemon split (4/5): extract *VMService service 2026-04-20 20:57:05 -03:00
preflight.go seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
runtime_assets.go daemon split (4/5): extract *VMService service 2026-04-20 20:57:05 -03:00
snapshot.go daemon split (1/5): extract *HostNetwork service 2026-04-20 20:11:46 -03:00
snapshot_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
ssh_client_config.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
ssh_client_config_test.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
sshd_config_test.go guest sshd: drop DEBUG3 + StrictModes no; normalise /root perms 2026-04-19 13:40:40 -03:00
tap_pool.go daemon split (1/5): extract *HostNetwork service 2026-04-20 20:11:46 -03:00
vm.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
vm_authsync.go daemon split (3/5): extract *WorkspaceService service 2026-04-20 20:42:31 -03:00
vm_create.go model: validate VM names as DNS labels at CLI + daemon 2026-04-23 14:06:40 -03:00
vm_create_ops.go daemon split (4/5): extract *VMService service 2026-04-20 20:57:05 -03:00
vm_create_test.go model: validate VM names as DNS labels at CLI + daemon 2026-04-23 14:06:40 -03:00
vm_disk.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
vm_handles.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
vm_handles_test.go daemon split (6/n): extract wireServices + drop lazy service getters 2026-04-21 15:55:28 -03:00
vm_lifecycle.go daemon: fix vm start (on a stopped VM) + regression coverage 2026-04-23 12:01:46 -03:00
vm_locks.go Move subsystem state/locks off Daemon into owning types 2026-04-15 15:58:33 -03:00
vm_service.go vmservice: delete dead guestWaitForSSH + guestDial seams 2026-04-22 12:45:27 -03:00
vm_set.go daemon split (4/5): extract *VMService service 2026-04-20 20:57:05 -03:00
vm_stats.go daemon split (4/5): extract *VMService service 2026-04-20 20:57:05 -03:00
vm_test.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00
workspace.go workspace: drop --readonly flag — advisory only against root guests 2026-04-23 13:04:33 -03:00
workspace_rejection_test.go tests: targeted coverage for doctor, workspace rejections, and nat capability 2026-04-22 12:58:12 -03:00
workspace_service.go seams: move the last four package globals onto instance fields 2026-04-22 12:07:14 -03:00
workspace_test.go cleanup: drop pre-v0.1 migration scaffolding + legacy-behavior refs 2026-04-23 13:56:32 -03:00