From 2a2097f4ff99287c84bee69f5116cffdc90e73b1 Mon Sep 17 00:00:00 2001
From: Alessandro Astone <ales.astone@gmail.com>
Date: Thu, 12 Oct 2023 16:22:02 +0200
Subject: [PATCH] hardware_manager: Validate upgrade zips against the saved ota
 channel

---
 tools/helpers/images.py            | 14 ++++++++++++++
 tools/services/hardware_manager.py |  7 +++++++
 2 files changed, 21 insertions(+)

diff --git a/tools/helpers/images.py b/tools/helpers/images.py
index 7436d6d..f266db3 100644
--- a/tools/helpers/images.py
+++ b/tools/helpers/images.py
@@ -81,6 +81,20 @@ def get(args):
             break
     remove_overlay(args)
 
+def validate(args, channel, image_zip):
+    # Verify that the zip comes from the channel
+    cfg = tools.config.load(args)
+    channel_url = cfg["waydroid"][channel]
+    channel_request = helpers.http.retrieve(channel_url)
+    if channel_request[0] != 200:
+        return False
+    channel_responses = json.loads(channel_request[1].decode('utf8'))["response"]
+    for build in channel_responses:
+        if sha256sum(image_zip) == build['id']:
+            return True
+    logging.warning(f"Could not verify the image {image_zip} against {channel_url}")
+    return False
+
 def replace(args, system_zip, system_time, vendor_zip, vendor_time):
     cfg = tools.config.load(args)
     args.images_path = cfg["waydroid"]["images_path"]
diff --git a/tools/services/hardware_manager.py b/tools/services/hardware_manager.py
index 76104cb..b9cff46 100644
--- a/tools/services/hardware_manager.py
+++ b/tools/services/hardware_manager.py
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 import logging
 import threading
+import os
 import tools.actions.container_manager
 import tools.actions.session_manager
 import tools.config
@@ -29,6 +30,12 @@ def start(args):
         helpers.lxc.start(args)
 
     def upgrade(system_zip, system_time, vendor_zip, vendor_time):
+        if os.path.exists(system_zip) and not helpers.images.validate(args, "system_ota", system_zip):
+            logging.warning("Not upgrading because system.img comes from an unverified source")
+            return
+        if os.path.exists(vendor_zip) and not helpers.images.validate(args, "vendor_ota", vendor_zip):
+            logging.warning("Not upgrading because vendor.img comes from an unverified source")
+            return
         helpers.lxc.stop(args)
         helpers.images.umount_rootfs(args)
         helpers.images.replace(args, system_zip, system_time,
-- 
2.47.3