Build: harden OpenWrt package input handling

Stage VeraCrypt and wxWidgets sources under the SDK package directory before rendering the OpenWrt package Makefile. The generated recipe now refers only to fixed package-local paths, so checkout and work directory names are no longer parsed as GNU Make syntax or passed unquoted through recipe source arguments.

Validate VeraCrypt and wxWidgets version tokens before substituting them into generated package metadata. This prevents unexpected Make metacharacters from entering the generated OpenWrt recipe while preserving normal dotted release versions.

Quote OpenWrt QEMU test container-size values with the existing shell quoting helper, matching the password handling and preventing user-supplied size text from being split or interpreted by the guest shell.

src/Build/Packaging/openwrt/package/utils/veracrypt/Makefile.in

@@ -11,9 +11,8 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_DEPENDS:=fuse3 pcsc-lite
 
-WXWIDGETS_VERSION:=@WXWIDGETS_VERSION@
+VERACRYPT_STAGED_SOURCE:=sources/veracrypt
-VERACRYPT_SOURCE_DIR:=@VERACRYPT_SOURCE_DIR@
+WXWIDGETS_STAGED_SOURCE:=sources/wxWidgets
-WXWIDGETS_SOURCE_DIR:=@WXWIDGETS_SOURCE_DIR@
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -34,8 +33,8 @@ define Package/veracrypt/description
 endef
 
 define Build/Prepare
-	rm -rf $(PKG_BUILD_DIR)
+	rm -rf "$(PKG_BUILD_DIR)"
-	$(INSTALL_DIR) $(PKG_BUILD_DIR)
+	$(INSTALL_DIR) "$(PKG_BUILD_DIR)"
 	rsync -a --delete \
 		--exclude .git \
 		--exclude 'src/wxrelease' \
@@ -45,8 +44,8 @@ define Build/Prepare
 		--exclude '*.o' \
 		--exclude '*.d' \
 		--exclude '*.a' \
-		$(VERACRYPT_SOURCE_DIR)/ $(PKG_BUILD_DIR)/veracrypt/
+		"$(VERACRYPT_STAGED_SOURCE)/" "$(PKG_BUILD_DIR)/veracrypt/"
-	rsync -a --delete $(WXWIDGETS_SOURCE_DIR)/ $(PKG_BUILD_DIR)/wxWidgets-$(WXWIDGETS_VERSION)/
+	rsync -a --delete "$(WXWIDGETS_STAGED_SOURCE)/" "$(PKG_BUILD_DIR)/wxWidgets/"
 endef
 
 define Build/Configure
@@ -60,7 +59,7 @@ VC_COMMON_MAKE_FLAGS = \
 	RANLIB="$(TARGET_RANLIB)" \
 	PKG_CONFIG="$(PKG_CONFIG)" \
 	PKG_CONFIG_PATH="$(PKG_CONFIG_PATH)" \
-	WX_ROOT="$(PKG_BUILD_DIR)/wxWidgets-$(WXWIDGETS_VERSION)" \
+	WX_ROOT="$(PKG_BUILD_DIR)/wxWidgets" \
 	WX_BUILD_DIR="$(PKG_BUILD_DIR)/wxBuildConsole" \
 	WX_CONFIGURE_EXTRA_FLAGS="--target=$(GNU_TARGET_NAME) --host=$(GNU_TARGET_NAME) --build=$(GNU_HOST_NAME) --prefix=/usr --exec-prefix=/usr --disable-rpath" \
 	TC_EXTRA_CFLAGS="$(TARGET_CFLAGS) $(TARGET_CPPFLAGS)" \
@@ -74,18 +73,18 @@ VC_COMMON_MAKE_FLAGS = \
 	VERBOSE=1
 
 define Build/Compile
-	+$(MAKE) -C $(PKG_BUILD_DIR)/veracrypt/src $(VC_COMMON_MAKE_FLAGS) clean
+	+$(MAKE) -C "$(PKG_BUILD_DIR)/veracrypt/src" $(VC_COMMON_MAKE_FLAGS) clean
-	+$(MAKE) -C $(PKG_BUILD_DIR)/veracrypt/src $(VC_COMMON_MAKE_FLAGS) wxbuild
+	+$(MAKE) -C "$(PKG_BUILD_DIR)/veracrypt/src" $(VC_COMMON_MAKE_FLAGS) wxbuild
-	+$(MAKE) -C $(PKG_BUILD_DIR)/veracrypt/src $(PKG_JOBS) $(VC_COMMON_MAKE_FLAGS)
+	+$(MAKE) -C "$(PKG_BUILD_DIR)/veracrypt/src" $(PKG_JOBS) $(VC_COMMON_MAKE_FLAGS)
 endef
 
 define Package/veracrypt/install
-	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_DIR) "$(1)/usr/bin"
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/veracrypt/src/Main/veracrypt $(1)/usr/bin/veracrypt
+	$(INSTALL_BIN) "$(PKG_BUILD_DIR)/veracrypt/src/Main/veracrypt" "$(1)/usr/bin/veracrypt"
-	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_DIR) "$(1)/sbin"
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/veracrypt/src/Setup/Linux/mount.veracrypt $(1)/sbin/mount.veracrypt
+	$(INSTALL_BIN) "$(PKG_BUILD_DIR)/veracrypt/src/Setup/Linux/mount.veracrypt" "$(1)/sbin/mount.veracrypt"
-	$(INSTALL_DIR) $(1)/usr/share/licenses/veracrypt
+	$(INSTALL_DIR) "$(1)/usr/share/licenses/veracrypt"
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/veracrypt/src/License.txt $(1)/usr/share/licenses/veracrypt/License.txt
+	$(INSTALL_DATA) "$(PKG_BUILD_DIR)/veracrypt/src/License.txt" "$(1)/usr/share/licenses/veracrypt/License.txt"
 endef
 
 $(eval $(call BuildPackage,veracrypt))

src/Build/build_veracrypt_openwrt.sh

@@ -68,6 +68,17 @@ require_option_arg() {
 	[ $# -ge 2 ] || die "Option $1 requires an argument"
 }
 
+validate_version_token() {
+	name=$1
+	value=$2
+
+	case "$value" in
+		''|*[!A-Za-z0-9._+-]*)
+			die "$name must contain only letters, digits, '.', '_', '+', or '-'"
+			;;
+	esac
+}
+
 download_file() {
 	url=$1
 	out=$2
@@ -236,20 +247,53 @@ sed_escape() {
 	printf '%s' "$1" | sed 's/[&|]/\\&/g'
 }
 
+assert_package_dir_outside_checkout() {
+	package_dir=$1
+
+	case "$package_dir/" in
+		"$REPOROOT"/*)
+			die "OpenWrt package directory is inside the VeraCrypt checkout; choose a --work-dir or --sdk-dir outside the repository"
+			;;
+	esac
+}
+
+stage_package_sources() {
+	package_dir=$1
+	staging_dir="$package_dir/sources"
+
+	assert_package_dir_outside_checkout "$package_dir"
+
+	rm -rf "$staging_dir"
+	mkdir -p "$staging_dir/veracrypt" "$staging_dir/wxWidgets"
+
+	rsync -a --delete \
+		--exclude .git \
+		--exclude 'src/wxrelease' \
+		--exclude 'src/wxdebug' \
+		--exclude 'src/Main/veracrypt' \
+		--exclude 'src/Setup/Linux/usr' \
+		--exclude '*.o' \
+		--exclude '*.d' \
+		--exclude '*.a' \
+		"$REPOROOT/" "$staging_dir/veracrypt/"
+
+	rsync -a --delete "$WX_SOURCE_DIR/" "$staging_dir/wxWidgets/"
+}
+
 render_package_makefile() {
 	version=$(sed -n 's/^#define[[:space:]][[:space:]]*VERSION_STRING[[:space:]][[:space:]]*"\([^"]*\)".*/\1/p' "$SOURCEPATH/Common/Tcdefs.h" | head -n 1)
 	[ -n "$version" ] || die "Could not determine VeraCrypt version from src/Common/Tcdefs.h"
+	validate_version_token "VeraCrypt version" "$version"
 
 	package_dir="$SDK_DIR/package/utils/veracrypt"
 	template="$REPOROOT/src/Build/Packaging/openwrt/package/utils/veracrypt/Makefile.in"
 
+	assert_package_dir_outside_checkout "$package_dir"
 	rm -rf "$package_dir"
 	mkdir -p "$package_dir"
+	stage_package_sources "$package_dir"
 	sed \
 		-e "s|@VERACRYPT_VERSION@|$(sed_escape "$version")|g" \
-		-e "s|@VERACRYPT_SOURCE_DIR@|$(sed_escape "$REPOROOT")|g" \
-		-e "s|@WXWIDGETS_VERSION@|$(sed_escape "$WX_VERSION")|g" \
-		-e "s|@WXWIDGETS_SOURCE_DIR@|$(sed_escape "$WX_SOURCE_DIR")|g" \
 		"$template" > "$package_dir/Makefile"
 
 	VERACRYPT_VERSION=$version
@@ -369,6 +413,7 @@ case "$JOBS" in
 		;;
 esac
 [ "$JOBS" -gt 0 ] || die "jobs must be a positive integer"
+validate_version_token "wxWidgets version" "$WX_VERSION"
 
 need_tool awk
 need_tool find

src/Build/test_veracrypt_openwrt_qemu.py

@@ -713,12 +713,13 @@ def run_guest_tests(args, console, http_port, packages):
         raise TestError("algorithm self-test did not report success")
 
     if not args.skip_container:
-        escaped_password = args.password.replace("'", "'\"'\"'")
+        quoted_container_size = sh_quote(args.container_size)
+        quoted_password = sh_quote(args.password)
         console.run("dd if=/dev/urandom of=/tmp/vc-random.bin bs=1M count=1", timeout=120)
         console.run(
             "veracrypt --text --create /tmp/openwrt-test.hc "
-            f"--size={args.container_size} "
+            f"--size={quoted_container_size} "
-            f"--password='{escaped_password}' "
+            f"--password={quoted_password} "
             "--encryption=AES --hash=SHA-512 --filesystem=none "
             "--volume-type=normal --random-source=/tmp/vc-random.bin "
             "--quick --force --non-interactive",
@@ -727,7 +728,7 @@ def run_guest_tests(args, console, http_port, packages):
         console.run("mkdir -p /mnt/veracrypt-test", timeout=60)
         console.run(
             "veracrypt --text --mount /tmp/openwrt-test.hc /mnt/veracrypt-test "
-            f"--password='{escaped_password}' "
+            f"--password={quoted_password} "
             "--pim=0 --keyfiles='' --protect-hidden=no --filesystem=none --non-interactive",
             timeout=240,
         )