plugin: restrict characters in plugin names

Thanks to ⬡-49016 for reporting this issue.

Fixes GHSA-32gq-x56h-299c

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
           - {GOOS: freebsd, GOARCH: amd64}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
           go-version: 1.x
       - name: Checkout repository
@@ -62,9 +62,9 @@ jobs:
           GOARCH: ${{ matrix.GOARCH }}
           GOARM: ${{ matrix.GOARM }}
       - name: Upload workflow artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
-          name: age-binaries
+          name: age-binaries-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
           path: age-*
   upload:
     name: Upload release binaries
@@ -75,9 +75,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download workflow artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
-          name: age-binaries
+          pattern: age-binaries-*
+          merge-multiple: true
       - name: Upload release artifacts
         run: gh release upload "$GITHUB_REF_NAME" age-*
         env:

.github/workflows/ronn.yml

@@ -29,7 +29,7 @@ jobs:
             mv "$f.tmp" "$f"
           done
       - name: Upload generated files
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: man-pages
           path: |
@@ -45,7 +45,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Download generated files
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: man-pages
           path: doc/

.github/workflows/test.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Install bootstrap Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22
+          go-version: stable
       - name: Install Go tip (UNIX)
         if: runner.os != 'Windows'
         run: |

README.md

@@ -133,6 +133,12 @@ $ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz
             <code>scoop bucket add extras && scoop install age</code>
         </td>
     </tr>
+    <tr>
+        <td>pkgx</td>
+        <td>
+            <code>pkgx install age</code>
+        </td>
+    </tr>
 </table>
 
 On Windows, Linux, macOS, and FreeBSD you can use the pre-built binaries.
@@ -151,6 +157,39 @@ go install filippo.io/age/cmd/...@latest
 
 Help from new packagers is very welcome.
 
+### Verifying the release signatures
+
+If you download the pre-built binaries, you can check their
+[Sigsum](https://www.sigsum.org) proofs, which are like signatures with extra
+transparency: you can cryptographically verify that every proof is logged in a
+public append-only log, so you can hold the age project accountable for every
+binary release we ever produced. This is similar to what the [Go Checksum
+Database](https://go.dev/blog/module-mirror-launch) provides.
+
+```
+cat << EOF > age-sigsum-key.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1WpnEswJLPzvXJDiswowy48U+G+G1kmgwUE2eaRHZG
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz2WM5CyPLqiNjk7CLl4roDXwKhQ0QExXLebukZEZFS
+EOF
+cat << EOF > sigsum-trust-policy.txt
+log 154f49976b59ff09a123675f58cb3e346e0455753c3c3b15d465dcb4f6512b0b https://poc.sigsum.org/jellyfish
+witness poc.sigsum.org/nisse 1c25f8a44c635457e2e391d1efbca7d4c2951a0aef06225a881e46b98962ac6c
+witness rgdd.se/poc-witness  28c92a5a3a054d317c86fc2eeb6a7ab2054d6217100d0be67ded5b74323c5806
+group  demo-quorum-rule all poc.sigsum.org/nisse rgdd.se/poc-witness
+quorum demo-quorum-rule
+EOF
+
+curl -JLO "https://dl.filippo.io/age/v1.2.0?for=darwin/arm64"
+curl -JLO "https://dl.filippo.io/age/v1.2.0?for=darwin/arm64&proof"
+
+go install sigsum.org/sigsum-go/cmd/sigsum-verify@v0.8.0
+sigsum-verify -k age-sigsum-key.pub -p sigsum-trust-policy.txt \
+    age-v1.2.0-darwin-arm64.tar.gz.proof < age-v1.2.0-darwin-arm64.tar.gz
+```
+
+You can learn more about what's happening above in the [Sigsum
+docs](https://www.sigsum.org/getting-started/).
+
 ## Usage
 
 For the full documentation, read [the age(1) man page](https://filippo.io/age/age.1).

cmd/age-keygen/keygen.go

@@ -158,5 +158,5 @@ func errorf(format string, v ...interface{}) {
 }
 
 func warning(msg string) {
-	log.Printf("age-keygen: warning: " + msg)
+	log.Printf("age-keygen: warning: %s", msg)
 }

cmd/age/age.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"regexp"
 	"runtime/debug"
 	"strings"
@@ -223,9 +224,21 @@ func main() {
 		}
 	}
 
+	var inUseFiles []string
+	for _, i := range identityFlags {
+		if i.Type != "i" {
+			continue
+		}
+		inUseFiles = append(inUseFiles, absPath(i.Value))
+	}
+	for _, f := range recipientsFileFlags {
+		inUseFiles = append(inUseFiles, absPath(f))
+	}
+
 	var in io.Reader = os.Stdin
 	var out io.Writer = os.Stdout
 	if name := flag.Arg(0); name != "" && name != "-" {
+		inUseFiles = append(inUseFiles, absPath(name))
 		f, err := os.Open(name)
 		if err != nil {
 			errorf("failed to open input file %q: %v", name, err)
@@ -246,6 +259,11 @@ func main() {
 		}
 	}
 	if name := outFlag; name != "" && name != "-" {
+		for _, f := range inUseFiles {
+			if f == absPath(name) {
+				errorf("input and output file are the same: %q", name)
+			}
+		}
 		f := newLazyOpener(name)
 		defer func() {
 			if err := f.Close(); err != nil {
@@ -532,3 +550,10 @@ func (l *lazyOpener) Close() error {
 	}
 	return nil
 }
+
+func absPath(name string) string {
+	if abs, err := filepath.Abs(name); err == nil {
+		return abs
+	}
+	return name
+}

cmd/age/testdata/encrypted_keys.txt

@@ -2,6 +2,7 @@
 # age file password prompt during encryption
 
 [!linux] [!darwin] skip # no pty support
+[darwin] [go1.20] skip # https://go.dev/issue/61779
 
 # use an encrypted OpenSSH private key without .pub file
 age -R key_ed25519.pub -o ed25519.age input

cmd/age/testdata/output_file.txt

@@ -25,7 +25,31 @@ age -d -i key.txt -o new empty.age
 ! stderr .
 cmp new empty
 
+# https://github.com/FiloSottile/age/issues/491
+cp input inputcopy
+! age -r age1xmwwc06ly3ee5rytxm9mflaz2u56jjj36s0mypdrwsvlul66mv4q47ryef -o inputcopy inputcopy
+stderr 'input and output file are the same'
+cmp inputcopy input
+! age -r age1xmwwc06ly3ee5rytxm9mflaz2u56jjj36s0mypdrwsvlul66mv4q47ryef -o ./inputcopy inputcopy
+stderr 'input and output file are the same'
+cmp inputcopy input
+mkdir foo
+! age -r age1xmwwc06ly3ee5rytxm9mflaz2u56jjj36s0mypdrwsvlul66mv4q47ryef -o inputcopy foo/../inputcopy
+stderr 'input and output file are the same'
+cmp inputcopy input
+cp key.txt keycopy
+age -e -i keycopy -o test.age input
+! age -d -i keycopy -o keycopy test.age
+stderr 'input and output file are the same'
+cmp key.txt keycopy
+
 [!linux] [!darwin] skip # no pty support
+[darwin] [go1.20] skip # https://go.dev/issue/61779
+
+ttyin terminal
+! age -p -o inputcopy inputcopy
+stderr 'input and output file are the same'
+cmp inputcopy input
 
 # https://github.com/FiloSottile/age/issues/159
 ttyin terminal

cmd/age/testdata/plugin.txt

@@ -10,6 +10,15 @@ age -d -i long-key.txt test.age
 cmp stdout input
 ! stderr .
 
+# check that path separators are rejected
+chmod 755 age-plugin-pwn/pwn
+mkdir $TMPDIR/age-plugin-pwn
+cp age-plugin-pwn/pwn $TMPDIR/age-plugin-pwn/pwn
+! age -r age1pwn/pwn19gt89dfz input
+! age -d -i pwn-identity.txt test.age
+! age -d -j pwn/pwn test.age
+! exists pwn
+
 -- input --
 test
 -- key.txt --
@@ -18,3 +27,8 @@ AGE-PLUGIN-TEST-10Q32NLXM
 age1test10pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7qj6rl8p
 -- long-key.txt --
 AGE-PLUGIN-TEST-10PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7RC0PU8S7Q5U8SUD
+-- pwn-identity.txt --
+AGE-PLUGIN-PWN/PWN-19GYK4WLY
+-- age-plugin-pwn/pwn --
+#!/bin/sh
+touch "$WORK/pwn"

cmd/age/testdata/scrypt.txt

@@ -1,4 +1,5 @@
 [!linux] [!darwin] skip # no pty support
+[darwin] [go1.20] skip # https://go.dev/issue/61779
 
 # encrypt with a provided passphrase
 stdin input

cmd/age/testdata/terminal.txt

@@ -1,4 +1,5 @@
 [!linux] [!darwin] skip # no pty support
+[darwin] [go1.20] skip # https://go.dev/issue/61779
 
 # controlling terminal is used instead of stdin/stderr
 ttyin terminal

doc/age-keygen.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "AGE\-KEYGEN" "1" "April 2023" ""
+.TH "AGE\-KEYGEN" "1" "June 2024" ""
 .SH "NAME"
 \fBage\-keygen\fR \- generate age(1) key pairs
 .SH "SYNOPSIS"

doc/age-keygen.1.html

@@ -137,7 +137,7 @@ age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
 
   <ol class='man-decor man-foot man foot'>
     <li class='tl'></li>
-    <li class='tc'>April 2023</li>
+    <li class='tc'>June 2024</li>
     <li class='tr'>age-keygen(1)</li>
   </ol>
 

doc/age.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "AGE" "1" "April 2023" ""
+.TH "AGE" "1" "June 2024" ""
 .SH "NAME"
 \fBage\fR \- simple, modern, and secure file encryption
 .SH "SYNOPSIS"

doc/age.1.html

@@ -432,7 +432,7 @@ $ age -d -i age-yubikey-identity-388178f3.txt secrets.txt.age
 
   <ol class='man-decor man-foot man foot'>
     <li class='tl'></li>
-    <li class='tc'>April 2023</li>
+    <li class='tc'>June 2024</li>
     <li class='tr'>age(1)</li>
   </ol>
 

internal/format/format.go

@@ -201,7 +201,7 @@ func (r *StanzaReader) ReadStanza() (s *Stanza, err error) {
 		b, err := DecodeString(strings.TrimSuffix(string(line), "\n"))
 		if err != nil {
 			if bytes.HasPrefix(line, footerPrefix) || bytes.HasPrefix(line, stanzaPrefix) {
-				return nil, fmt.Errorf("malformed body line %q: stanza ended without a short line\nNote: this might be a file encrypted with an old beta version of age or rage. Use age v1.0.0-beta6 or rage to decrypt it.", line)
+				return nil, fmt.Errorf("malformed body line %q: stanza ended without a short line\nnote: this might be a file encrypted with an old beta version of age or rage; use age v1.0.0-beta6 or rage to decrypt it", line)
 			}
 			return nil, errorf("malformed body line %q: %v", line, err)
 		}

internal/stream/stream.go

@@ -12,7 +12,6 @@ import (
 	"io"
 
 	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/crypto/poly1305"
 )
 
 const ChunkSize = 64 * 1024
@@ -29,7 +28,7 @@ type Reader struct {
 }
 
 const (
-	encChunkSize  = ChunkSize + poly1305.TagSize
+	encChunkSize  = ChunkSize + chacha20poly1305.Overhead
 	lastChunkFlag = 0x01
 )
 

plugin/client.go

@@ -9,13 +9,13 @@ package plugin
 
 import (
 	"bufio"
-	"bytes"
 	"fmt"
 	"io"
 	"math/rand"
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"time"
 
 	exec "golang.org/x/sys/execabs"
@@ -179,6 +179,9 @@ func NewIdentity(s string, ui *ClientUI) (*Identity, error) {
 
 func NewIdentityWithoutData(name string, ui *ClientUI) (*Identity, error) {
 	s := EncodeIdentity(name, nil)
+	if s == "" {
+		return nil, fmt.Errorf("invalid plugin name: %q", name)
+	}
 	return &Identity{
 		name: name, encoding: s, ui: ui,
 	}, nil
@@ -382,7 +385,6 @@ type clientConnection struct {
 	cmd       *exec.Cmd
 	io.Reader // stdout
 	io.Writer // stdin
-	stderr    bytes.Buffer
 	close     func()
 }
 
@@ -392,6 +394,8 @@ func openClientConnection(name, protocol string) (*clientConnection, error) {
 	path := "age-plugin-" + name
 	if testOnlyPluginPath != "" {
 		path = filepath.Join(testOnlyPluginPath, path)
+	} else if strings.ContainsRune(name, os.PathSeparator) {
+		return nil, fmt.Errorf("invalid plugin name: %q", name)
 	}
 	cmd := exec.Command(path, "--age-plugin="+protocol)
 

plugin/encode.go

@@ -14,6 +14,9 @@ import (
 // EncodeIdentity encodes a plugin identity string for a plugin with the given
 // name. If the name is invalid, it returns an empty string.
 func EncodeIdentity(name string, data []byte) string {
+	if !validPluginName(name) {
+		return ""
+	}
 	s, _ := bech32.Encode("AGE-PLUGIN-"+strings.ToUpper(name)+"-", data)
 	return s
 }
@@ -30,12 +33,18 @@ func ParseIdentity(s string) (name string, data []byte, err error) {
 	}
 	name = strings.TrimSuffix(strings.TrimPrefix(hrp, "AGE-PLUGIN-"), "-")
 	name = strings.ToLower(name)
+	if !validPluginName(name) {
+		return "", nil, fmt.Errorf("invalid plugin name: %q", name)
+	}
 	return name, data, nil
 }
 
 // EncodeRecipient encodes a plugin recipient string for a plugin with the given
 // name. If the name is invalid, it returns an empty string.
 func EncodeRecipient(name string, data []byte) string {
+	if !validPluginName(name) {
+		return ""
+	}
 	s, _ := bech32.Encode("age1"+strings.ToLower(name), data)
 	return s
 }
@@ -51,5 +60,21 @@ func ParseRecipient(s string) (name string, data []byte, err error) {
 		return "", nil, fmt.Errorf("not a plugin recipient: %v", err)
 	}
 	name = strings.TrimPrefix(hrp, "age1")
+	if !validPluginName(name) {
+		return "", nil, fmt.Errorf("invalid plugin name: %q", name)
+	}
 	return name, data, nil
 }
+
+func validPluginName(name string) bool {
+	if name == "" {
+		return false
+	}
+	allowed := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-._"
+	for _, r := range name {
+		if !strings.ContainsRune(allowed, r) {
+			return false
+		}
+	}
+	return true
+}