fix: Apply NAR URL normalization in storage layer

[kalbasit]

Normalize NAR URLs before file path operations in both local and S3 storage
backends. This ensures consistent storage and retrieval regardless of whether
the NAR URL contains an embedded narinfo hash prefix.

Changes:

• pkg/storage/local/local.go: Add URL.Normalize() in HasNar, GetNar, PutNar, DeleteNar
• pkg/storage/s3/s3.go: Add URL.Normalize() in narPath method

This ensures that NARs are stored and retrieved using the normalized hash,
making the storage layer agnostic to whether the input URL has a prefix.

Part of #806

Co-Authored-By: Claude Haiku 4.5 noreply@anthropic.com

[gemini-code-assist]

Summary of Changes

Hello @kalbasit, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request standardizes how NAR (Nix Archive) URLs are processed within the storage layer. By applying a normalization step to NAR URLs before they are used for file path operations, the system ensures that NARs are consistently stored and retrieved. This change makes both local and S3 storage backends robust against variations in NAR URL formatting, specifically addressing cases where URLs might include an embedded narinfo hash prefix.

Highlights

• NAR URL Normalization: Implemented NAR URL normalization across local and S3 storage layers to ensure consistent file path operations, regardless of whether the NAR URL contains an embedded narinfo hash prefix.

Changelog

• pkg/storage/local/local.go
  • Applied narURL.Normalize() before narURL.ToFilePath() in HasNar method.
  • Applied narURL.Normalize() before narURL.ToFilePath() in GetNar method.
  • Applied narURL.Normalize() before narURL.ToFilePath() in PutNar method.
  • Applied narURL.Normalize() before narURL.ToFilePath() in DeleteNar method.
• pkg/storage/s3/s3.go
  • Applied narURL.Normalize() before narURL.ToFilePath() in narPath method.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[dosubot]

Related Documentation

Checked 7 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[kalbasit]

• fix: harden NAR hash validation and improve URL parsing #842
• fix: harden the narinfo route pattern #841
• fix: harden the narinfo hash validation #840
• fix: Fix test data generation and skip signature verification #839
• fix: Improve NAR file serving and remove old URL prefix workaround #838
• fix: Apply NAR URL normalization in storage layer #837 👈 (View in Graphite)
• feat: Add NAR URL normalization function and support dashes/underscores in hashes #836
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[gemini-code-assist]

Code Review

This pull request implements NAR URL normalization across local and S3 storage backends to ensure consistent storage and retrieval. However, it introduces a critical path traversal vulnerability because the Normalize() function lacks proper output validation. This affects both local and S3 storage backends, allowing an attacker to read and write arbitrary files or S3 objects, potentially leading to Remote Code Execution. The Normalize function in pkg/nar/url.go must be fixed to prevent it from returning path traversal payloads.

[kalbasit]

/gemini review

[gemini-code-assist]

Code Review

This pull request correctly adds NAR URL normalization in the local and S3 storage layers to handle URLs with an embedded narinfo hash prefix. However, the implementation introduces a critical path traversal vulnerability. The new nar.URL.Normalize() function has a flawed 'fail-open' sanitization mechanism, returning malicious input when a path traversal is detected. This allows an attacker to read, write, or delete arbitrary files on the local filesystem or in the S3 bucket. The Normalize function must be fixed to fail safely. Additionally, my feedback suggests improving code clarity by chaining method calls and addressing duplicated logic in the local storage backend for better maintainability.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.41%. Comparing base (7e1c28e) to head (0b7597e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #837   +/-   ##
=======================================
  Coverage   85.41%   85.41%           
=======================================
  Files           2        2           
  Lines         480      480           
=======================================
  Hits          410      410           
  Misses         65       65           
  Partials        5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.