stoorps/aim
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: harden download and install security

Browse source
This commit is contained in:
stoorps 2026-03-21 20:48:53 +00:00
parent f8ffb95376
commit af13e98eb3
Signed by: stoorps
SSH key fingerprint: SHA256:AZlPfu9hTu042EGtZElmDQoy+KvMOeShLDan/fYLoNI
33 changed files with 1517 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

62
.architecture/overview.md Normal file
View file

@ -0,0 +1,62 @@
# Architecture Overview
## Workspace Shape
`aim` is a Rust workspace with two main crates:
- `crates/aim-core`: source normalization, provider adapters, install/update planning, payload installation, registry persistence, and desktop integration.
- `crates/aim-cli`: argument parsing, config loading, terminal UX, prompting, progress reporting, and summary rendering.
The split keeps product logic in `aim-core` so additional frontends can reuse the same install and update pipeline.
## Core Flow
The main execution path is:
1. Parse CLI input and load runtime config in `aim-cli`.
2. Resolve the query into a normalized source in `aim-core`.
3. Build an add or update plan through provider adapters and artifact selection.
4. Download the selected AppImage into a staged path.
5. Verify integrity metadata when available.
6. Commit the payload into the managed install location.
7. Write desktop integration artifacts and refresh helper caches.
8. Persist registry state atomically.
## Source And Provider Model
Supported source classes currently include:
- GitHub repository and release forms
- GitLab repository forms
- AppImageHub item forms
- SourceForge release and download forms
- direct URLs
- local file imports
Provider-specific resolution lives in `crates/aim-core/src/adapters` and `crates/aim-core/src/source`.
## Security Hardening State
The current workspace enforces the following download and install boundaries:
- user-supplied `http://` inputs are rejected by default
- runtime opt-in is available through `allow_http = true`
- that opt-in applies only to user-supplied sources, including update flows derived from stored direct HTTP origins
- AppImageHub provider-returned download URLs must remain HTTPS
- AppImageHub MD5 metadata is verified as weak integrity before payload commit
- desktop entry display names are sanitized to prevent newline and control-character field injection
- stable identifiers that normalize to empty or contain `..` are rejected
The remaining deferred AppImageHub host-trust concern is tracked in `security-issues.md`.
## Persistence And Integration
- Registry writes are atomic and live under the registry store implementation in `aim-core`.
- Managed payload, desktop entry, and icon paths are resolved from install policy and scope.
- Desktop integration refresh uses external helpers when available and now supports env-gated audit logging through `AIM_DEBUG_EXTERNAL_HELPERS=1`.
## Planning And Audit Artifacts
- implementation plans live under `.plans/`
- audit reports live under `.audits/`
- architecture state and tracked security issues live under `.architecture/`