From 4c7c3fce6cc4515d291baff5f1124b854db59ab9 Mon Sep 17 00:00:00 2001
From: Achilleas Koutsou <achilleas@koutsou.net>
Date: Mon, 8 Apr 2024 18:51:51 +0200
Subject: [PATCH] osbuild: validate env var name in systemd.unit

Signed-off-by: Achilleas Koutsou <achilleas@koutsou.net>
---
 pkg/osbuild/systemd_unit_stage.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pkg/osbuild/systemd_unit_stage.go b/pkg/osbuild/systemd_unit_stage.go
index 4dff1831c8..0d1326091d 100644
--- a/pkg/osbuild/systemd_unit_stage.go
+++ b/pkg/osbuild/systemd_unit_stage.go
@@ -1,5 +1,10 @@
 package osbuild
 
+import (
+	"fmt"
+	"regexp"
+)
+
 type unitType string
 
 const (
@@ -16,7 +21,22 @@ type SystemdUnitStageOptions struct {
 
 func (SystemdUnitStageOptions) isStageOptions() {}
 
+func (o *SystemdUnitStageOptions) validate() error {
+	vre := regexp.MustCompile(envVarRegex)
+	if service := o.Config.Service; service != nil {
+		for _, envVar := range service.Environment {
+			if !vre.MatchString(envVar.Key) {
+				return fmt.Errorf("variable name %q doesn't conform to schema (%s)", envVar.Key, envVarRegex)
+			}
+		}
+	}
+	return nil
+}
+
 func NewSystemdUnitStage(options *SystemdUnitStageOptions) *Stage {
+	if err := options.validate(); err != nil {
+		panic(err)
+	}
 	return &Stage{
 		Type:    "org.osbuild.systemd.unit",
 		Options: options,