firewalld and systemd services share the same validator #3720
Description
Disclaimer: I stumbled upon this while reading #3675. I don't think this actually affects anyone but the code definitely raised my eyebrows, so I decided to report it. It's quite nitpicky, sorry about that. 😅
I noticed that the firewalld and the systemd service input field share the same validator isServiceValid:
Services services input:
Firewalld services:
However, these are actually completely different kind of services: the former one is a systemd service, the latter one is a firewalld service.
The validation for a systemd service should actually accept more stuff, see https://github.com/systemd/systemd/blob/770170fa622372540979e7c66629727dbd4d8ecb/man/systemd.unit.xml#L121:
Valid unit names consist of a "unit name prefix", and a suffix specifying the unit type which begins with a dot. The "unit name prefix" must consist of one or more valid characters (ASCII letters, digits, ":", "-", "_", ".", and ""). The total length of the unit name including the suffix must not exceed 255 characters. The unit type suffix must be one of ".service", ".socket", ".device", ".mount", ".automount", ".swap", ".target", ".path", ".timer", ".slice", or ".scope".
Unit names can be parameterized by a single argument called the "instance name". The unit is then constructed based on a "template file" which serves as the definition of multiple services or other units. A template unit must have a single "@" at the end of the unit name prefix (right before the type suffix). The name of the full unit is formed by inserting the instance name between "@" and the unit type suffix. In the unit file itself, the instance parameter may be referred to using "%i" and other specifiers, see below.
So basically: return service.length <= 255 && /^[a-zA-Z0-9.\-_:@]+$/.test(service);
The validation of a firewalld service name is tricky, the firewalld man page doesn't actually specify anything. I looked in the firewalld sources, and they don't seem to do any name validation, see https://github.com/firewalld/firewalld/blob/048ad2b5ae4814ce68f41011295937b41c888014/src/firewall/core/io/service.py#L218. Thus, I think I would validate that it's just a valid Linux filename - max 255 chars (well, actually 251 since these files always have the .xml extension), no / and no NULL characters.