From 43f11a9948212d570c7b12fe974ae6f614416dfb Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Mon, 11 May 2026 18:36:36 -0500
Subject: fix(archsetup): accept local-path repo specs in config validation

The `validate_config()` repo check I just added used a scheme allowlist (`http(s)://`, `git://`, `ssh://`, `user@host:path`), which rejected `ARCHSETUP_REPO=/tmp/archsetup-test` in `scripts/testing/archsetup-vm.conf`. That broke the VM test: archsetup exited during validation before logging anything, and `run-test.sh` reported "ArchSetup process not found after launch". `git clone` accepts local paths and `file://` URLs fine, so the allowlist was wrong. I replaced it with a security-only check: reject a leading dash (which `git` would parse as an option) plus whitespace and control characters, allow everything else. Smoke-tested against the test config and a matrix of repo forms.
---
 archsetup | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/archsetup b/archsetup
index 1624e78..d2ee265 100755
--- a/archsetup
+++ b/archsetup
@@ -174,20 +174,16 @@ validate_config() {
         exit 1
     fi
 
+    # Repo specs are handed to `git clone`, which also accepts local paths and
+    # file:// URLs (the test harness points ARCHSETUP_REPO at a local checkout),
+    # so don't allowlist schemes. Just block the one real injection vector -- a
+    # leading dash, which git would parse as an option -- plus whitespace and
+    # control characters.
     local repo
     for repo in "$dwm_repo" "$dmenu_repo" "$st_repo" "$slock_repo" "$dotemacs_repo" "$archsetup_repo"; do
         [[ -z "$repo" ]] && continue
-        case "$repo" in
-            http://*|https://*|git://*|ssh://*) ;;
-            *@*:*) ;;
-            *)
-                echo "ERROR: Repository URL looks unsupported: '$repo'" >&2
-                echo "  Expected http(s)://, git://, ssh://, or user@host:path." >&2
-                exit 1
-                ;;
-        esac
-        if [[ "$repo" =~ [[:space:]] || "$repo" == -* ]]; then
-            echo "ERROR: Repository URL contains whitespace or starts with '-': '$repo'" >&2
+        if [[ "$repo" == -* || "$repo" =~ [[:space:][:cntrl:]] ]]; then
+            echo "ERROR: Repository spec must not start with '-' or contain whitespace/control characters: '$repo'" >&2
             exit 1
         fi
     done
-- 
cgit v1.2.3