flake.lock: Update

fix: Github diffs URL

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
             runner: ubuntu-24.04-arm
     runs-on: ${{ matrix.runner }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - uses: cachix/install-nix-action@v31

.github/workflows/update-flakes.yml

@@ -11,12 +11,12 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - uses: cachix/install-nix-action@v31
     - name: Update flake inputs
       run: nix flake update
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v5
+      uses: peter-evans/create-pull-request@v8
       with:
         commit-message: "flake.lock: Update"
         title: "Update flake inputs"

.perlcriticrc

@@ -2,3 +2,9 @@ theme = community
 
 # 5 is the least complainy, 1 is the most complainy
 severity = 1
+
+# Disallow backticks - use IPC::Run3 instead for better security
+include = InputOutput::ProhibitBacktickOperators
+
+# Prohibit shell-invoking system() and exec() - use list form or IPC::Run3 instead
+include = Hydra::ProhibitShellInvokingSystemCalls

README.md

@@ -23,7 +23,7 @@ Running Hydra is currently only supported on NixOS. The [hydra module](https://g
 }
 ```
 ### Creating An Admin User
-Once the Hydra service has been configured as above and activate you should already be able to access the UI interface at the specified URL. However some actions require an admin user which has to be created first:
+Once the Hydra service has been configured as above and activated, you should already be able to access the UI interface at the specified URL. However some actions require an admin user which has to be created first:
 
 ```
 $ su - hydra

doc/manual/src/SUMMARY.md

@@ -10,6 +10,7 @@
   - [RunCommand](./plugins/RunCommand.md)
 - [Using the external API](api.md)
 - [Webhooks](webhooks.md)
+  - [Webhook Authentication Migration Guide](webhook-migration-guide.md)
 - [Monitoring Hydra](./monitoring/README.md)
 
 ## Developer's Guide

doc/manual/src/configuration.md

@@ -266,6 +266,40 @@ default role mapping:
 Note that configuring both the LDAP parameters in the hydra.conf and via
 the environment variable is a fatal error.
 
+Webhook Authentication
+---------------------
+
+Hydra supports authenticating webhook requests from GitHub and Gitea to prevent unauthorized job evaluations.
+Webhook secrets should be stored in separate files outside the Nix store for security using Config::General's include mechanism.
+
+In your main `hydra.conf`:
+```apache
+<webhooks>
+  Include /var/lib/hydra/secrets/webhook-secrets.conf
+</webhooks>
+```
+
+Then create `/var/lib/hydra/secrets/webhook-secrets.conf` with your actual secrets:
+```apache
+<github>
+  secret = your-github-webhook-secret
+</github>
+<gitea>
+  secret = your-gitea-webhook-secret
+</gitea>
+```
+
+For multiple secrets (useful for rotation or multiple environments), use an array:
+```apache
+<github>
+  secret = your-github-webhook-secret-prod
+  secret = your-github-webhook-secret-staging
+</github>
+```
+
+**Important**: The secrets file should have restricted permissions (e.g., 0600) to prevent unauthorized access.
+See the [Webhooks documentation](webhooks.md) for detailed setup instructions.
+
 Embedding Extra HTML
 --------------------
 

doc/manual/src/webhook-migration-guide.md

@@ -0,0 +1,168 @@
+# Webhook Authentication Migration Guide
+
+This guide helps Hydra administrators migrate from unauthenticated webhooks to authenticated webhooks to secure their Hydra instances against unauthorized job evaluations.
+
+## Why Migrate?
+
+Currently, Hydra's webhook endpoints (`/api/push-github` and `/api/push-gitea`) accept any POST request without authentication. This vulnerability allows:
+- Anyone to trigger expensive job evaluations
+- Potential denial of service through repeated requests
+- Manipulation of build timing and scheduling
+
+## Step-by-Step Migration for NixOS
+
+### 1. Create Webhook Configuration
+
+Create a webhook secrets configuration file with the generated secrets:
+
+```bash
+# Create the secrets configuration file with inline secret generation
+cat > /var/lib/hydra/secrets/webhook-secrets.conf <<EOF
+<github>
+  secret = $(openssl rand -hex 32)
+</github>
+<gitea>
+  secret = $(openssl rand -hex 32)
+</gitea>
+EOF
+
+# Set secure permissions
+chmod 0440 /var/lib/hydra/secrets/webhook-secrets.conf
+chown hydra:hydra /var/lib/hydra/secrets/webhook-secrets.conf
+```
+
+**Important**: Save the generated secrets to configure them in GitHub/Gitea later. You can view them with:
+```bash
+cat /var/lib/hydra/secrets/webhook-secrets.conf
+```
+
+Then update your NixOS configuration to include the webhook configuration:
+
+```nix
+{
+  services.hydra-dev = {
+    enable = true;
+    hydraURL = "https://hydra.example.com";
+    notificationSender = "hydra@example.com";
+
+    extraConfig = ''
+      <webhooks>
+        Include /var/lib/hydra/secrets/webhook-secrets.conf
+      </webhooks>
+    '';
+  };
+}
+```
+
+For multiple secrets (useful for rotation or multiple environments), update your webhook-secrets.conf:
+
+```apache
+<github>
+  secret = your-github-webhook-secret-prod
+  secret = your-github-webhook-secret-staging
+</github>
+<gitea>
+  secret = your-gitea-webhook-secret
+</gitea>
+```
+
+### 2. Deploy Configuration
+
+Apply the NixOS configuration:
+
+```bash
+nixos-rebuild switch
+```
+
+This will automatically restart Hydra services with the new configuration.
+
+### 3. Verify Configuration
+
+Check Hydra's logs to ensure secrets were loaded successfully:
+
+```bash
+journalctl -u hydra-server | grep -i webhook
+```
+
+You should not see warnings about webhook authentication not being configured.
+
+### 4. Update Your Webhooks
+
+#### GitHub
+1. Navigate to your repository settings: `https://github.com/<owner>/<repo>/settings/hooks`
+2. Edit your existing Hydra webhook
+3. In the "Secret" field, paste the content of `/var/lib/hydra/secrets/github-webhook-secret`
+4. Click "Update webhook"
+5. GitHub will send a ping event to verify the configuration
+
+#### Gitea
+1. Navigate to your repository webhook settings
+2. Edit your existing Hydra webhook
+3. In the "Secret" field, paste the content of `/var/lib/hydra/secrets/gitea-webhook-secret`
+4. Click "Update Webhook"
+5. Use the "Test Delivery" button to verify the configuration
+
+### 5. Test the Configuration
+
+After updating each webhook:
+1. Make a test commit to trigger the webhook
+2. Check Hydra's logs for successful authentication
+3. Verify the evaluation was triggered in Hydra's web interface
+
+## Troubleshooting
+
+### 401 Unauthorized Errors
+
+If webhooks start failing with 401 errors:
+- Verify the secret in the Git forge matches the file content exactly
+- Check file permissions: `ls -la /var/lib/hydra/secrets/`
+- Ensure no extra whitespace in secret files
+- Check Hydra logs for specific error messages
+
+### Webhook Still Unauthenticated
+
+If you see warnings about unauthenticated webhooks after configuration:
+- Verify the configuration syntax in your NixOS module
+- Ensure the NixOS configuration was successfully applied
+- Check that the webhook-secrets.conf file exists and is readable by the Hydra user
+- Verify the Include path is correct in your hydra.conf
+- Check the syntax of your webhook-secrets.conf file
+
+### Testing Without Git Forge
+
+You can test webhook authentication using curl:
+
+```bash
+# Read the secret
+SECRET=$(cat /var/lib/hydra/secrets/github-webhook-secret)
+
+# Create test payload
+PAYLOAD='{"ref":"refs/heads/main","repository":{"clone_url":"https://github.com/test/repo.git"}}'
+
+# Calculate signature
+SIGNATURE="sha256=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)"
+
+# Send authenticated request
+curl -X POST https://your-hydra/api/push-github \
+  -H "Content-Type: application/json" \
+  -H "X-Hub-Signature-256: $SIGNATURE" \
+  -d "$PAYLOAD"
+```
+
+For Gitea (no prefix in signature):
+```bash
+# Read the secret
+SECRET=$(cat /var/lib/hydra/secrets/gitea-webhook-secret)
+
+# Create test payload
+PAYLOAD='{"ref":"refs/heads/main","repository":{"clone_url":"https://gitea.example.com/test/repo.git"}}'
+
+# Calculate signature
+SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET" | cut -d' ' -f2)
+
+# Send authenticated request
+curl -X POST https://your-hydra/api/push-gitea \
+  -H "Content-Type: application/json" \
+  -H "X-Gitea-Signature: $SIGNATURE" \
+  -d "$PAYLOAD"
+```

doc/manual/src/webhooks.md

@@ -3,6 +3,58 @@
 Hydra can be notified by github or gitea with webhooks to trigger a new evaluation when a
 jobset has a github repo in its input.
 
+## Webhook Authentication
+
+Hydra supports webhook signature verification for both GitHub and Gitea using HMAC-SHA256. This ensures that webhook
+requests are coming from your configured Git forge and haven't been tampered with.
+
+### Configuring Webhook Authentication
+
+1. **Create webhook configuration**: Generate and store webhook secrets securely:
+   ```bash
+   # Create directory and generate secrets in one step
+   mkdir -p /var/lib/hydra/secrets
+   cat > /var/lib/hydra/secrets/webhook-secrets.conf <<EOF
+   <github>
+     secret = $(openssl rand -hex 32)
+   </github>
+   <gitea>
+     secret = $(openssl rand -hex 32)
+   </gitea>
+   EOF
+
+   # Set secure permissions
+   chmod 0600 /var/lib/hydra/secrets/webhook-secrets.conf
+   chown hydra:hydra /var/lib/hydra/secrets/webhook-secrets.conf
+   ```
+
+2. **Configure Hydra**: Add the following to your `hydra.conf`:
+   ```apache
+   <webhooks>
+     Include /var/lib/hydra/secrets/webhook-secrets.conf
+   </webhooks>
+   ```
+
+3. **Configure your Git forge**: View the generated secrets and configure them in GitHub/Gitea:
+   ```bash
+   grep "secret =" /var/lib/hydra/secrets/webhook-secrets.conf
+   ```
+
+### Multiple Secrets Support
+
+Hydra supports configuring multiple secrets for each platform, which is useful for:
+- Zero-downtime secret rotation
+- Supporting multiple environments (production/staging)
+- Gradual migration of webhooks
+
+To configure multiple secrets, use array syntax:
+```apache
+<github>
+  secret = current-webhook-secret
+  secret = previous-webhook-secret
+</github>
+```
+
 ## GitHub
 
 To set up a webhook for a GitHub repository go to `https://github.com/<yourhandle>/<yourrepo>/settings`
@@ -10,11 +62,16 @@ and in the `Webhooks` tab click on `Add webhook`.
 
 - In `Payload URL` fill in `https://<your-hydra-domain>/api/push-github`.
 - In `Content type` switch to `application/json`.
-- The `Secret` field can stay empty.
+- In the `Secret` field, enter the content of your GitHub webhook secret file (if authentication is configured).
 - For `Which events would you like to trigger this webhook?` keep the default option for events on `Just the push event.`.
 
 Then add the hook with `Add webhook`.
 
+### Verifying GitHub Webhook Security
+
+After configuration, GitHub will send webhook requests with an `X-Hub-Signature-256` header containing the HMAC-SHA256
+signature of the request body. Hydra will verify this signature matches the configured secret.
+
 ## Gitea
 
 To set up a webhook for a Gitea repository go to the settings of the repository in your Gitea instance
@@ -22,6 +79,23 @@ and in the `Webhooks` tab click on `Add Webhook` and choose `Gitea` in the drop
 
 - In `Target URL` fill in `https://<your-hydra-domain>/api/push-gitea`.
 - Keep HTTP method `POST`, POST Content Type `application/json` and Trigger On `Push Events`.
+- In the `Secret` field, enter the content of your Gitea webhook secret file (if authentication is configured).
 - Change the branch filter to match the git branch hydra builds.
 
 Then add the hook with `Add webhook`.
+
+### Verifying Gitea Webhook Security
+
+After configuration, Gitea will send webhook requests with an `X-Gitea-Signature` header containing the HMAC-SHA256
+signature of the request body. Hydra will verify this signature matches the configured secret.
+
+## Troubleshooting
+
+If you receive 401 Unauthorized errors:
+- Verify the webhook secret in your Git forge matches the content of the secret file exactly
+- Check that the secret file has proper permissions (should be 0600)
+- Look at Hydra's logs for specific error messages
+- Ensure the correct signature header is being sent by your Git forge
+
+If you see warnings about webhook authentication not being configured:
+- Configure webhook authentication as described above to secure your endpoints

flake.lock

@@ -3,16 +3,16 @@
     "nix": {
       "flake": false,
       "locked": {
-        "lastModified": 1750777360,
-        "narHash": "sha256-nDWFxwhT+fQNgi4rrr55EKjpxDyVKSl1KaNmSXtYj40=",
+        "lastModified": 1772065213,
+        "narHash": "sha256-DbYpmZAD6aebwxepBop5Ub4S39sLg9UIJziTbeD832k=",
         "owner": "NixOS",
         "repo": "nix",
-        "rev": "7bb200199705eddd53cb34660a76567c6f1295d9",
+        "rev": "0769726d44b0782fecbd7b9749e24320c77af317",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "2.29-maintenance",
+        "ref": "2.33-maintenance",
         "repo": "nix",
         "type": "github"
       }
@@ -20,31 +20,32 @@
     "nix-eval-jobs": {
       "flake": false,
       "locked": {
-        "lastModified": 1748680938,
-        "narHash": "sha256-TQk6pEMD0mFw7jZXpg7+2qNKGbAluMQgc55OMgEO8bM=",
+        "lastModified": 1767025318,
+        "narHash": "sha256-i68miKHGdueWggcDAF+Kca9g6S3ipkW629XbMpQYfn0=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "974a4af3d4a8fd242d8d0e2608da4be87a62b83f",
+        "rev": "79dd7adbb5f75b08fb4b9bddd712ebc52baa46bc",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
+        "ref": "v2.33.0",
         "repo": "nix-eval-jobs",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1750736827,
-        "narHash": "sha256-UcNP7BR41xMTe0sfHBH8R79+HdCw0OwkC/ZKrQEuMeo=",
+        "lastModified": 1772934839,
+        "narHash": "sha256-6mMYkB7BTTsc4thtCFbh3Aj5yth3EPI6L9L5DR6tpWc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b4a30b08433ad7b6e1dfba0833fb0fe69d43dfec",
+        "rev": "d351a3bce30b8f0d0a36281754b62942977fabe5",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05-small",
+        "ref": "nixos-25.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,16 +1,16 @@
 {
   description = "A Nix-based continuous build system";
 
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11-small";
 
   inputs.nix = {
-    url = "github:NixOS/nix/2.29-maintenance";
+    url = "github:NixOS/nix/2.33-maintenance";
     # We want to control the deps precisely
     flake = false;
   };
 
   inputs.nix-eval-jobs = {
-    url = "github:nix-community/nix-eval-jobs";
+    url = "github:nix-community/nix-eval-jobs/v2.33.0";
     # We want to control the deps precisely
     flake = false;
   };
@@ -59,7 +59,7 @@
 
         manual = forEachSystem (system: let
           pkgs = nixpkgs.legacyPackages.${system};
-          hydra = self.packages.${pkgs.hostPlatform.system}.hydra;
+          hydra = self.packages.${pkgs.stdenv.hostPlatform.system}.hydra;
         in
           pkgs.runCommand "hydra-manual-${hydra.version}" { }
             ''

hydra-api.yaml

@@ -78,6 +78,11 @@ paths:
           description: project and jobset formatted as "<project>:<jobset>" to evaluate
           schema:
             type: string
+        - in: query
+          name: force
+          description: when set to true the jobset gets evaluated even when it did not change
+          schema:
+            type: boolean
       responses:
         '200':
           description: jobset trigger response
@@ -569,6 +574,131 @@ paths:
               schema:
                 $ref: '#/components/schemas/JobsetEvalBuilds'
 
+  /jobset/{project-id}/{jobset-id}/latest-eval:
+    get:
+      summary: Redirects to the latest finished evaluation for a jobset
+      parameters:
+      - name: project-id
+        in: path
+        description: project identifier
+        required: true
+        schema:
+          type: string
+      - name: jobset-id
+        in: path
+        description: jobset identifier
+        required: true
+        schema:
+          type: string
+      responses:
+        '302':
+          description: the evaluation to redirect to
+          headers:
+            Location:
+              example: /eval/1?name={jobset-id}
+              schema:
+                type: string
+
+  /job/{project-id}/{jobset-id}/{job-id}/latest:
+    get:
+      summary: Redirects to the latest succesful build for a job
+      parameters:
+      - name: project-id
+        in: path
+        description: project identifier
+        required: true
+        schema:
+          type: string
+      - name: jobset-id
+        in: path
+        description: jobset identifier
+        required: true
+        schema:
+          type: string
+      - name: job-id
+        in: path
+        description: job identifier
+        required: true
+        schema:
+          type: string
+      responses:
+        '302':
+          description: the build to redirect to
+          headers:
+            Location:
+              example: /build/1
+              schema:
+                type: string
+
+  /job/{project-id}/{jobset-id}/{job-id}/latest-for/{system}:
+    get:
+      summary: Redirects to the latest succesful build for a job
+      parameters:
+      - name: project-id
+        in: path
+        description: project identifier
+        required: true
+        schema:
+          type: string
+      - name: jobset-id
+        in: path
+        description: jobset identifier
+        required: true
+        schema:
+          type: string
+      - name: job-id
+        in: path
+        description: job identifier
+        required: true
+        schema:
+          type: string
+      - name: system
+        in: path
+        description: system
+        required: true
+        schema:
+          type: string
+        example: x86_64-linux
+      responses:
+        '302':
+          description: the build to redirect to
+          headers:
+            Location:
+              example: /build/1
+              schema:
+                type: string
+
+  /job/{project-id}/{jobset-id}/{job-id}/latest-finished:
+    get:
+      summary: Redirects to the latest succesful build for a job from a finished evaluation
+      parameters:
+      - name: project-id
+        in: path
+        description: project identifier
+        required: true
+        schema:
+          type: string
+      - name: jobset-id
+        in: path
+        description: jobset identifier
+        required: true
+        schema:
+          type: string
+      - name: job-id
+        in: path
+        description: job identifier
+        required: true
+        schema:
+          type: string
+      responses:
+        '302':
+          description: the build to redirect to
+          headers:
+            Location:
+              example: /build/1
+              schema:
+                type: string
+
 components:
   schemas:
 

meson.build

@@ -4,7 +4,7 @@ project('hydra', 'cpp',
   default_options: [
     'debug=true',
     'optimization=2',
-    'cpp_std=c++20',
+    'cpp_std=c++23',
   ],
 )
 

nixos-modules/default.nix

@@ -4,7 +4,7 @@
   hydra = { pkgs, lib,... }: {
     _file = ./default.nix;
     imports = [ ./hydra.nix ];
-    services.hydra-dev.package = lib.mkDefault self.packages.${pkgs.hostPlatform.system}.hydra;
+    services.hydra-dev.package = lib.mkDefault self.packages.${pkgs.stdenv.hostPlatform.system}.hydra;
   };
 
   hydraTest = { pkgs, ... }: {

nixos-modules/hydra.nix

@@ -364,7 +364,7 @@ in
         requires = [ "hydra-init.service" ];
         restartTriggers = [ hydraConf ];
         after = [ "hydra-init.service" "network.target" ];
-        path = with pkgs; [ hostname-debian cfg.package jq ];
+        path = with pkgs; [ hostname-debian cfg.package ];
         environment = env // {
           HYDRA_DBI = "${env.HYDRA_DBI};application_name=hydra-evaluator";
         };

package.nix

@@ -31,7 +31,7 @@
 , perl
 , pixz
 , boost
-, postgresql_13
+, postgresql_17
 , nlohmann_json
 , prometheus-cpp
 
@@ -192,7 +192,7 @@ stdenv.mkDerivation (finalAttrs: {
     subversion
     breezy
     openldap
-    postgresql_13
+    postgresql_17
     pixz
     nix-eval-jobs
   ];

src/hydra-queue-runner/build-remote.cc

@@ -14,6 +14,7 @@
 #include <nix/util/current-process.hh>
 #include <nix/util/processes.hh>
 #include <nix/util/util.hh>
+#include <nix/store/export-import.hh>
 #include <nix/store/serve-protocol.hh>
 #include <nix/store/serve-protocol-impl.hh>
 #include <nix/store/ssh.hh>
@@ -104,7 +105,7 @@ static void copyClosureTo(
         std::chrono::seconds(600));
 
     conn.to << ServeProto::Command::ImportPaths;
-    destStore.exportPaths(missing, conn.to);
+    exportPaths(destStore, missing, conn.to);
     conn.to.flush();
 
     if (readInt(conn.from) != 1)
@@ -262,16 +263,18 @@ static BuildResult performBuild(
         // Since this a `BasicDerivation`, `staticOutputHashes` will not
         // do any real work.
         auto outputHashes = staticOutputHashes(localStore, drv);
-        for (auto & [outputName, output] : drvOutputs) {
-            auto outputPath = output.second;
-            // We’ve just asserted that the output paths of the derivation
-            // were known
-            assert(outputPath);
-            auto outputHash = outputHashes.at(outputName);
-            auto drvOutput = DrvOutput { outputHash, outputName };
-            result.builtOutputs.insert_or_assign(
-                std::move(outputName),
-                Realisation { drvOutput, *outputPath });
+        if (auto * successP = result.tryGetSuccess()) {
+            for (auto & [outputName, output] : drvOutputs) {
+                auto outputPath = output.second;
+                // We’ve just asserted that the output paths of the derivation
+                // were known
+                assert(outputPath);
+                auto outputHash = outputHashes.at(outputName);
+                auto drvOutput = DrvOutput { outputHash, outputName };
+                successP->builtOutputs.insert_or_assign(
+                    std::move(outputName),
+                    Realisation { {.outPath = *outputPath}, drvOutput });
+            }
         }
     }
 
@@ -336,54 +339,68 @@ void RemoteResult::updateWithBuildResult(const nix::BuildResult & buildResult)
     startTime = buildResult.startTime;
     stopTime = buildResult.stopTime;
     timesBuilt = buildResult.timesBuilt;
-    errorMsg = buildResult.errorMsg;
-    isNonDeterministic = buildResult.isNonDeterministic;
 
-    switch ((BuildResult::Status) buildResult.status) {
-        case BuildResult::Built:
+    std::visit(overloaded{
+        [&](const BuildResult::Success & success) {
             stepStatus = bsSuccess;
-            break;
-        case BuildResult::Substituted:
-        case BuildResult::AlreadyValid:
-            stepStatus = bsSuccess;
-            isCached = true;
-            break;
-        case BuildResult::PermanentFailure:
-            stepStatus = bsFailed;
-            canCache = true;
-            errorMsg = "";
-            break;
-        case BuildResult::InputRejected:
-        case BuildResult::OutputRejected:
-            stepStatus = bsFailed;
-            canCache = true;
-            break;
-        case BuildResult::TransientFailure:
-            stepStatus = bsFailed;
-            canRetry = true;
-            errorMsg = "";
-            break;
-        case BuildResult::TimedOut:
-            stepStatus = bsTimedOut;
-            errorMsg = "";
-            break;
-        case BuildResult::MiscFailure:
-            stepStatus = bsAborted;
-            canRetry = true;
-            break;
-        case BuildResult::LogLimitExceeded:
-            stepStatus = bsLogLimitExceeded;
-            break;
-        case BuildResult::NotDeterministic:
-            stepStatus = bsNotDeterministic;
-            canRetry = false;
-            canCache = true;
-            break;
-        default:
-            stepStatus = bsAborted;
-            break;
-    }
-
+            switch (success.status) {
+                case BuildResult::Success::Built:
+                    break;
+                case BuildResult::Success::Substituted:
+                case BuildResult::Success::AlreadyValid:
+                case BuildResult::Success::ResolvesToAlreadyValid:
+                    isCached = true;
+                    break;
+                default:
+                    assert(false);
+            }
+        },
+        [&](const BuildResult::Failure & failure) {
+            errorMsg = failure.errorMsg;
+            isNonDeterministic = failure.isNonDeterministic;
+            switch (failure.status) {
+                case BuildResult::Failure::PermanentFailure:
+                    stepStatus = bsFailed;
+                    canCache = true;
+                    errorMsg = "";
+                    break;
+                case BuildResult::Failure::InputRejected:
+                case BuildResult::Failure::OutputRejected:
+                    stepStatus = bsFailed;
+                    canCache = true;
+                    break;
+                case BuildResult::Failure::TransientFailure:
+                    stepStatus = bsFailed;
+                    canRetry = true;
+                    errorMsg = "";
+                    break;
+                case BuildResult::Failure::TimedOut:
+                    stepStatus = bsTimedOut;
+                    errorMsg = "";
+                    break;
+                case BuildResult::Failure::MiscFailure:
+                    stepStatus = bsAborted;
+                    canRetry = true;
+                    break;
+                case BuildResult::Failure::LogLimitExceeded:
+                    stepStatus = bsLogLimitExceeded;
+                    break;
+                case BuildResult::Failure::NotDeterministic:
+                    stepStatus = bsNotDeterministic;
+                    canRetry = false;
+                    canCache = true;
+                    break;
+                case BuildResult::Failure::CachedFailure:
+                case BuildResult::Failure::DependencyFailed:
+                case BuildResult::Failure::NoSubstituters:
+                case BuildResult::Failure::HashMismatch:
+                    stepStatus = bsAborted;
+                    break;
+                default:
+                    assert(false);
+            }
+        },
+    }, buildResult.inner);
 }
 
 /* Utility guard object to auto-release a semaphore on destruction. */
@@ -405,7 +422,7 @@ void State::buildRemote(ref<Store> destStore,
     std::function<void(StepState)> updateStep,
     NarMemberDatas & narMembers)
 {
-    assert(BuildResult::TimedOut == 8);
+    assert(BuildResult::Failure::TimedOut == 8);
 
     auto [logFile, logFD] = build_remote::openLogFile(logDir, step->drvPath);
     AutoDelete logFileDel(logFile, false);
@@ -514,7 +531,7 @@ void State::buildRemote(ref<Store> destStore,
 
         updateStep(ssBuilding);
 
-        BuildResult buildResult = build_remote::performBuild(
+        auto buildResult = build_remote::performBuild(
             conn,
             *localStore,
             step->drvPath,
@@ -556,8 +573,9 @@ void State::buildRemote(ref<Store> destStore,
         wakeDispatcher();
 
         StorePathSet outputs;
-        for (auto & [_, realisation] : buildResult.builtOutputs)
-            outputs.insert(realisation.outPath);
+        if (auto * successP = buildResult.tryGetSuccess())
+            for (auto & [_, realisation] : successP->builtOutputs)
+                outputs.insert(realisation.outPath);
 
         /* Copy the output paths. */
         if (!machine->isLocalhost() || localStore != std::shared_ptr<Store>(destStore)) {
@@ -590,15 +608,17 @@ void State::buildRemote(ref<Store> destStore,
         /* Register the outputs of the newly built drv */
         if (experimentalFeatureSettings.isEnabled(Xp::CaDerivations)) {
             auto outputHashes = staticOutputHashes(*localStore, *step->drv);
-            for (auto & [outputName, realisation] : buildResult.builtOutputs) {
-                // Register the resolved drv output
-                destStore->registerDrvOutput(realisation);
+            if (auto * successP = buildResult.tryGetSuccess()) {
+                for (auto & [outputName, realisation] : successP->builtOutputs) {
+                    // Register the resolved drv output
+                    destStore->registerDrvOutput(realisation);
 
-                // Also register the unresolved one
-                auto unresolvedRealisation = realisation;
-                unresolvedRealisation.signatures.clear();
-                unresolvedRealisation.id.drvHash = outputHashes.at(outputName);
-                destStore->registerDrvOutput(unresolvedRealisation);
+                    // Also register the unresolved one
+                    auto unresolvedRealisation = realisation;
+                    unresolvedRealisation.signatures.clear();
+                    unresolvedRealisation.id.drvHash = outputHashes.at(outputName);
+                    destStore->registerDrvOutput(unresolvedRealisation);
+                }
             }
         }
 

src/hydra-queue-runner/build-result.cc

@@ -51,8 +51,8 @@ BuildOutput getBuildOutput(
         "[[:space:]]+"
         "([a-zA-Z0-9_-]+)" // subtype (e.g. "readme")
         "[[:space:]]+"
-        "(\"[^\"]+\"|[^[:space:]\"]+)" // path (may be quoted)
-        "([[:space:]]+([^[:space:]]+))?" // entry point
+        "(\"[^\"]+\"|[^[:space:]<>\"]+)" // path (may be quoted)
+        "([[:space:]]+([^[:space:]<>]+))?" // entry point
         , std::regex::extended);
 
     for (auto & output : outputs) {
@@ -78,7 +78,7 @@ BuildOutput getBuildOutput(
             product.type = match[1];
             product.subtype = match[2];
             std::string s(match[3]);
-            product.path = s[0] == '"' ? std::string(s, 1, s.size() - 2) : s;
+            product.path = s[0] == '"' && s.back() == '"' ? std::string(s, 1, s.size() - 2) : s;
             product.defaultPath = match[5];
 
             /* Ensure that the path exists and points into the Nix
@@ -93,6 +93,8 @@ BuildOutput getBuildOutput(
             if (file == narMembers.end()) continue;
 
             product.name = product.path == store->printStorePath(output) ? "" : baseNameOf(product.path);
+            if (!std::regex_match(product.name, std::regex("[a-zA-Z0-9.@:_ -]*")))
+                product.name = "";
 
             if (file->second.type == SourceAccessor::Type::tRegular) {
                 product.isRegular = true;
@@ -127,8 +129,9 @@ BuildOutput getBuildOutput(
         if (file == narMembers.end() ||
             file->second.type != SourceAccessor::Type::tRegular)
             continue;
-        res.releaseName = trim(file->second.contents.value());
-        // FIXME: validate release name
+        auto contents = trim(file->second.contents.value());
+        if (std::regex_match(contents, std::regex("[a-zA-Z0-9.@:_-]+")))
+            res.releaseName = contents;
     }
 
     /* Get metrics. */
@@ -140,10 +143,18 @@ BuildOutput getBuildOutput(
         for (auto & line : tokenizeString<Strings>(file->second.contents.value(), "\n")) {
             auto fields = tokenizeString<std::vector<std::string>>(line);
             if (fields.size() < 2) continue;
+            if (!std::regex_match(fields[0], std::regex("[a-zA-Z0-9._-]+")))
+                continue;
             BuildMetric metric;
-            metric.name = fields[0]; // FIXME: validate
-            metric.value = atof(fields[1].c_str()); // FIXME
+            metric.name = fields[0];
+            try {
+                metric.value = std::stod(fields[1]);
+            } catch (...) {
+                continue; // skip this metric
+            }
             metric.unit = fields.size() >= 3 ? fields[2] : "";
+            if (!std::regex_match(metric.unit, std::regex("[a-zA-Z0-9._%-]+")))
+                metric.unit = "";
             res.metrics[metric.name] = metric;
         }
     }

src/hydra-queue-runner/hydra-queue-runner.cc

@@ -537,12 +537,12 @@ void State::notifyBuildFinished(pqxx::work & txn, BuildID buildId,
 
 std::shared_ptr<PathLocks> State::acquireGlobalLock()
 {
-    Path lockPath = hydraData + "/queue-runner/lock";
+    auto lockPath = std::filesystem::path(hydraData) / "queue-runner/lock";
 
-    createDirs(dirOf(lockPath));
+    createDirs(lockPath.parent_path());
 
     auto lock = std::make_shared<PathLocks>();
-    if (!lock->lockPaths(PathSet({lockPath}), "", false)) return 0;
+    if (!lock->lockPaths({lockPath}, "", false)) return 0;
 
     return lock;
 }

src/hydra-queue-runner/queue-monitor.cc

@@ -1,5 +1,6 @@
 #include "state.hh"
 #include "hydra-build-result.hh"
+#include <nix/store/derived-path.hh>
 #include <nix/store/globals.hh>
 #include <nix/store/parsed-derivations.hh>
 #include <nix/util/thread-pool.hh>
@@ -487,23 +488,24 @@ Step::ptr State::createStep(ref<Store> destStore,
        it's not runnable yet, and other threads won't make it
        runnable while step->created == false. */
     step->drv = std::make_unique<Derivation>(localStore->readDerivation(drvPath));
-    {
-        auto parsedOpt = StructuredAttrs::tryParse(step->drv->env);
-        try {
-            step->drvOptions = std::make_unique<DerivationOptions>(
-                DerivationOptions::fromStructuredAttrs(step->drv->env, parsedOpt ? &*parsedOpt : nullptr));
-        } catch (Error & e) {
-            e.addTrace({}, "while parsing derivation '%s'", localStore->printStorePath(drvPath));
-            throw;
-        }
+    DerivationOptions<nix::SingleDerivedPath> drvOptions;
+    try {
+        drvOptions = derivationOptionsFromStructuredAttrs(
+            *localStore,
+            step->drv->inputDrvs,
+            step->drv->env,
+            get(step->drv->structuredAttrs));
+    } catch (Error & e) {
+        e.addTrace({}, "while parsing derivation '%s'", localStore->printStorePath(drvPath));
+        throw;
     }
 
-    step->preferLocalBuild = step->drvOptions->willBuildLocally(*localStore, *step->drv);
+    step->preferLocalBuild = drvOptions.willBuildLocally(*localStore, *step->drv);
     step->isDeterministic = getOr(step->drv->env, "isDetermistic", "0") == "1";
 
     step->systemType = step->drv->platform;
     {
-        StringSet features = step->requiredSystemFeatures = step->drvOptions->getRequiredSystemFeatures(*step->drv);
+        StringSet features = step->requiredSystemFeatures = drvOptions.getRequiredSystemFeatures(*step->drv);
         if (step->preferLocalBuild)
             features.insert("local");
         if (!features.empty()) {

src/hydra-queue-runner/state.hh

@@ -27,6 +27,7 @@
 #include <nix/store/serve-protocol-impl.hh>
 #include <nix/store/serve-protocol-connection.hh>
 #include <nix/store/machines.hh>
+#include <nix/store/globals.hh>
 
 
 typedef unsigned int BuildID;
@@ -171,7 +172,6 @@ struct Step
 
     nix::StorePath drvPath;
     std::unique_ptr<nix::Derivation> drv;
-    std::unique_ptr<nix::DerivationOptions> drvOptions;
     nix::StringSet requiredSystemFeatures;
     bool preferLocalBuild;
     bool isDeterministic;

src/lib/Hydra/Controller/API.pm

@@ -12,6 +12,9 @@ use DateTime;
 use Digest::SHA qw(sha256_hex);
 use Text::Diff;
 use IPC::Run qw(run);
+use Digest::SHA qw(hmac_sha256_hex);
+use String::Compare::ConstantTime qw(equals);
+use IPC::Run3;
 
 
 sub api : Chained('/') PathPart('api') CaptureArgs(0) {
@@ -216,8 +219,13 @@ sub scmdiff : Path('/api/scmdiff') Args(0) {
     } elsif ($type eq "git") {
         my $clonePath = getSCMCacheDir . "/git/" . sha256_hex($uri);
         die if ! -d $clonePath;
-        $diff .= `(cd $clonePath; git --git-dir .git log $rev1..$rev2)`;
-        $diff .= `(cd $clonePath; git --git-dir .git diff $rev1..$rev2)`;
+        my ($stdout1, $stderr1);
+        run3(['git', '--git-dir', '.git', '-C', $clonePath, 'log', "$rev1..$rev2"], \undef, \$stdout1, \$stderr1);
+        $diff .= $stdout1 if $? == 0;
+
+        my ($stdout2, $stderr2);
+        run3(['git', '--git-dir', '.git', '-C', $clonePath, 'diff', "$rev1..$rev2"], \undef, \$stdout2, \$stderr2);
+        $diff .= $stdout2 if $? == 0;
     }
 
     $c->stash->{'plain'} = { data => (scalar $diff) || " " };
@@ -274,13 +282,84 @@ sub push : Chained('api') PathPart('push') Args(0) {
     );
 }
 
+sub verifyWebhookSignature {
+    my ($c, $platform, $header_name, $signature_prefix) = @_;
+
+    # Get secrets from config
+    my $webhook_config = $c->config->{webhooks} // {};
+    my $platform_config = $webhook_config->{$platform} // {};
+    my $secrets = $platform_config->{secret};
+
+    # Normalize to array
+    $secrets = [] unless defined $secrets;
+    $secrets = [$secrets] unless ref($secrets) eq 'ARRAY';
+
+    # Trim whitespace from secrets
+    my @secrets = grep { defined && length } map { s/^\s+|\s+$//gr } @$secrets;
+
+    if (@secrets) {
+        my $signature = $c->request->header($header_name);
+
+        if (!$signature) {
+            $c->log->warn("Webhook authentication failed for $platform: Missing signature from IP " . $c->request->address);
+            $c->response->status(401);
+            $c->stash->{json} = { error => "Missing webhook signature" };
+            $c->forward('View::JSON');
+            return 0;
+        }
+
+        # Get the raw body content from the buffered PSGI input
+        # For JSON requests, Catalyst will have already read and buffered the body
+        my $input = $c->request->env->{'psgi.input'};
+        $input->seek(0, 0);
+        local $/;
+        my $payload = <$input>;
+        $input->seek(0, 0);  # Reset for any other consumers
+
+        unless (defined $payload && length $payload) {
+            $c->log->warn("Webhook authentication failed for $platform: Empty request body from IP " . $c->request->address);
+            $c->response->status(400);
+            $c->stash->{json} = { error => "Empty request body" };
+            $c->forward('View::JSON');
+            return 0;
+        }
+
+        my $valid = 0;
+        for my $secret (@secrets) {
+            my $expected = $signature_prefix . hmac_sha256_hex($payload, $secret);
+            if (equals($signature, $expected)) {
+                $valid = 1;
+                last;
+            }
+        }
+
+        if (!$valid) {
+            $c->log->warn("Webhook authentication failed for $platform: Invalid signature from IP " . $c->request->address);
+            $c->response->status(401);
+            $c->stash->{json} = { error => "Invalid webhook signature" };
+            $c->forward('View::JSON');
+            return 0;
+        }
+
+        return 1;
+    } else {
+        $c->log->warn("Webhook authentication failed for $platform: Unable to validate signature from IP " . $c->request->address . " because no secrets are configured");
+        $c->response->status(401);
+        $c->stash->{json} = { error => "Invalid webhook signature" };
+        $c->forward('View::JSON');
+        return 0;
+    }
+}
+
 sub push_github : Chained('api') PathPart('push-github') Args(0) {
     my ($self, $c) = @_;
 
     $c->{stash}->{json}->{jobsetsTriggered} = [];
 
+    return unless verifyWebhookSignature($c, 'github', 'X-Hub-Signature-256', 'sha256=');
+
     my $in = $c->request->{data};
-    my $owner = $in->{repository}->{owner}->{name} or die;
+    my $owner = ($in->{repository}->{owner}->{name} // $in->{repository}->{owner}->{login}) or die;
     my $repo = $in->{repository}->{name} or die;
     print STDERR "got push from GitHub repository $owner/$repo\n";
 
@@ -297,6 +376,9 @@ sub push_gitea : Chained('api') PathPart('push-gitea') Args(0) {
 
     $c->{stash}->{json}->{jobsetsTriggered} = [];
 
+    # Note: Gitea doesn't use sha256= prefix
+    return unless verifyWebhookSignature($c, 'gitea', 'X-Gitea-Signature', '');
+
     my $in = $c->request->{data};
     my $url = $in->{repository}->{clone_url} or die;
     $url =~ s/.git$//;

src/lib/Hydra/Controller/Build.pm

@@ -13,6 +13,8 @@ use Data::Dump qw(dump);
 use List::SomeUtils qw(all);
 use Encode;
 use JSON::PP;
+use IPC::Run qw(run);
+use IPC::Run3;
 use WWW::Form::UrlEncoded::PP qw();
 
 use feature 'state';
@@ -210,7 +212,7 @@ sub checkPath {
 sub serveFile {
     my ($c, $path) = @_;
 
-    my $res = run(cmd => ["nix", "--experimental-features", "nix-command",
+    my $res = runCommand(cmd => ["nix", "--experimental-features", "nix-command",
                           "ls-store", "--store", getStoreUri(), "--json", "$path"]);
 
     if ($res->{status}) {
@@ -348,19 +350,21 @@ sub contents : Chained('buildChain') PathPart Args(1) {
 
     notFound($c, "Product $path has disappeared.") unless -e $path;
 
-    # Sanitize $path to prevent shell injection attacks.
-    $path =~ /^\/[\/[A-Za-z0-9_\-\.=+:]+$/ or die "Filename contains illegal characters.\n";
-
-    # FIXME: don't use shell invocations below.
-
     # FIXME: use nix store cat
 
     my $res;
 
     if ($product->type eq "nix-build" && -d $path) {
         # FIXME: use nix ls-store -R --json
-        $res = `cd '$path' && find . -print0 | xargs -0 ls -ld --`;
-        error($c, "`ls -lR' error: $?") if $? != 0;
+        # We need to use a pipe between find and xargs, so we'll use IPC::Run
+        my $error;
+        # Run find with absolute path and post-process to get relative paths
+        my $success = run(['find', $path, '-print0'], '|', ['xargs', '-0', 'ls', '-ld', '--'], \$res, \$error);
+        error($c, "`find $path -print0 | xargs -0 ls -ld --' error: $error") unless $success;
+
+        # Strip the base path to show relative paths
+        my $escaped_path = quotemeta($path);
+        $res =~ s/^(.*\s)$escaped_path(\/|$)/$1.$2/mg;
 
         #my $baseuri = $c->uri_for('/build', $c->stash->{build}->id, 'download', $product->productnr);
         #$baseuri .= "/".$product->name if $product->name;
@@ -368,34 +372,59 @@ sub contents : Chained('buildChain') PathPart Args(1) {
     }
 
     elsif ($path =~ /\.rpm$/) {
-        $res = `rpm --query --info --package '$path'`;
-        error($c, "RPM error: $?") if $? != 0;
+        my ($stdout1, $stderr1);
+        run3(['rpm', '--query', '--info', '--package', $path], \undef, \$stdout1, \$stderr1);
+        error($c, "RPM error: $stderr1") if $? != 0;
+        $res = $stdout1;
+
         $res .= "===\n";
-        $res .= `rpm --query --list --verbose --package '$path'`;
-        error($c, "RPM error: $?") if $? != 0;
+
+        my ($stdout2, $stderr2);
+        run3(['rpm', '--query', '--list', '--verbose', '--package', $path], \undef, \$stdout2, \$stderr2);
+        error($c, "RPM error: $stderr2") if $? != 0;
+        $res .= $stdout2;
     }
 
     elsif ($path =~ /\.deb$/) {
-        $res = `dpkg-deb --info '$path'`;
-        error($c, "`dpkg-deb' error: $?") if $? != 0;
+        my ($stdout1, $stderr1);
+        run3(['dpkg-deb', '--info', $path], \undef, \$stdout1, \$stderr1);
+        error($c, "`dpkg-deb' error: $stderr1") if $? != 0;
+        $res = $stdout1;
+
         $res .= "===\n";
-        $res .= `dpkg-deb --contents '$path'`;
-        error($c, "`dpkg-deb' error: $?") if $? != 0;
+
+        my ($stdout2, $stderr2);
+        run3(['dpkg-deb', '--contents', $path], \undef, \$stdout2, \$stderr2);
+        error($c, "`dpkg-deb' error: $stderr2") if $? != 0;
+        $res .= $stdout2;
     }
 
     elsif ($path =~ /\.(tar(\.gz|\.bz2|\.xz|\.lzma)?|tgz)$/ ) {
-        $res = `tar tvfa '$path'`;
-        error($c, "`tar' error: $?") if $? != 0;
+        my ($stdout, $stderr);
+        run3(['tar', 'tvfa', $path], \undef, \$stdout, \$stderr);
+        error($c, "`tar' error: $stderr") if $? != 0;
+        $res = $stdout;
     }
 
     elsif ($path =~ /\.(zip|jar)$/ ) {
-        $res = `unzip -v '$path'`;
-        error($c, "`unzip' error: $?") if $? != 0;
+        my ($stdout, $stderr);
+        run3(['unzip', '-v', $path], \undef, \$stdout, \$stderr);
+        error($c, "`unzip' error: $stderr") if $? != 0;
+        $res = $stdout;
     }
 
     elsif ($path =~ /\.iso$/ ) {
-        $res = `isoinfo -d -i '$path' && isoinfo -l -R -i '$path'`;
-        error($c, "`isoinfo' error: $?") if $? != 0;
+        # Run first isoinfo command
+        my ($stdout1, $stderr1);
+        run3(['isoinfo', '-d', '-i', $path], \undef, \$stdout1, \$stderr1);
+        error($c, "`isoinfo' error: $stderr1") if $? != 0;
+        $res = $stdout1;
+
+        # Run second isoinfo command
+        my ($stdout2, $stderr2);
+        run3(['isoinfo', '-l', '-R', '-i', $path], \undef, \$stdout2, \$stderr2);
+        error($c, "`isoinfo' error: $stderr2") if $? != 0;
+        $res .= $stdout2;
     }
 
     else {

src/lib/Hydra/Controller/Root.pm

@@ -13,6 +13,8 @@ use Number::Bytes::Human qw(format_bytes);
 use Encode;
 use File::Basename;
 use JSON::MaybeXS;
+use HTML::Entities;
+use IPC::Run3;
 use List::Util qw[min max];
 use List::SomeUtils qw{any};
 use Net::Prometheus;
@@ -176,8 +178,14 @@ sub queue_runner_status_GET {
     my ($self, $c) = @_;
 
     #my $status = from_json($c->model('DB::SystemStatus')->find('queue-runner')->status);
-    my $status = decode_json(`hydra-queue-runner --status`);
-    if ($?) { $status->{status} = "unknown"; }
+    my ($stdout, $stderr);
+    run3(['hydra-queue-runner', '--status'], \undef, \$stdout, \$stderr);
+    my $status;
+    if ($? != 0) {
+        $status = { status => "unknown" };
+    } else {
+        $status = decode_json($stdout);
+    }
     my $json = JSON->new->pretty()->canonical();
 
     $c->stash->{template} = 'queue-runner-status.tt';
@@ -229,7 +237,7 @@ sub machines :Local Args(0) {
     $c->stash->{pretty_percent} = sub {
         my ($percent) = @_;
         my $ret = sprintf('%.2f', $percent);
-        return (' ' x (6 - length($ret))) . $ret;
+        return (' ' x (6 - length($ret))) . encode_entities($ret);
     };
     $self->status_ok($c, entity => $c->stash->{machines});
 }

src/lib/Hydra/Controller/User.pm

@@ -106,11 +106,11 @@ sub doEmailLogin {
     my $allowed_domains = $c->config->{allowed_domains} // ($c->config->{persona_allowed_domains} // "");
     if ($allowed_domains ne "") {
         my $email_ok = 0;
-        my @domains = split ',', $allowed_domains;
+        my @domains = split /,/, $allowed_domains;
         map { $_ =~ s/^\s*(.*?)\s*$/$1/ } @domains;
 
         foreach my $domain (@domains) {
-            $email_ok = $email_ok || ((split '@', $email)[1] eq $domain);
+            $email_ok = $email_ok || ((split /@/, $email)[1] eq $domain);
         }
         error($c, "Your email address does not belong to a domain that is allowed to log in.\n")
             unless $email_ok;

src/lib/Hydra/Helper/Nix.pm

@@ -12,12 +12,14 @@ use Nix::Store;
 use Encode;
 use Sys::Hostname::Long;
 use IPC::Run;
+use IPC::Run3;
 use LWP::UserAgent;
 use JSON::MaybeXS;
 use UUID4::Tiny qw(is_uuid4_string);
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw(
+    addToStore
     cancelBuilds
     constructRunCommandLogPath
     findLog
@@ -42,7 +44,7 @@ our @EXPORT = qw(
     readNixFile
     registerRoot
     restartBuilds
-    run
+    runCommand
     $MACHINE_LOCAL_STORE
     );
 
@@ -464,7 +466,7 @@ sub readIntoSocket{
 
 
 
-sub run {
+sub runCommand {
     my (%args) = @_;
     my $res = { stdout => "", stderr => "" };
     my $stdin = "";
@@ -504,7 +506,7 @@ sub run {
 
 sub grab {
     my (%args) = @_;
-    my $res = run(%args, grabStderr => 0);
+    my $res = runCommand(%args, grabStderr => 0);
     if ($res->{status}) {
         my $msgloc = "(in an indeterminate location)";
         if (defined $args{dir}) {
@@ -614,4 +616,14 @@ sub constructRunCommandLogPath {
     return "$hydra_path/runcommand-logs/$bucket/$uuid";
 }
 
+
+sub addToStore {
+    my ($path) = @_;
+
+    my ($stdout, $stderr);
+    run3(['nix-store', '--add', $path], \undef, \$stdout, \$stderr);
+    die "cannot add path $path to the Nix store: $stderr\n" if $? != 0;
+    return trim($stdout);
+}
+
 1;

src/lib/Hydra/Plugin/BitBucketPulls.pm

@@ -7,6 +7,7 @@ use HTTP::Request;
 use LWP::UserAgent;
 use JSON::MaybeXS;
 use Hydra::Helper::CatalystUtils;
+use Hydra::Helper::Nix;
 use File::Temp;
 use POSIX qw(strftime);
 
@@ -43,14 +44,11 @@ sub fetchInput {
     my $ua = LWP::UserAgent->new();
     _iterate("https://api.bitbucket.com/2.0/repositories/$owner/$repo/pullrequests?state=OPEN", $auth, \%pulls, $ua);
     my $tempdir = File::Temp->newdir("bitbucket-pulls" . "XXXXX", TMPDIR => 1);
-    my $filename = "$tempdir/bitbucket-pulls.json";
+    my $filename = "$tempdir/bitbucket-pulls-sorted.json";
     open(my $fh, ">", $filename) or die "Cannot open $filename for writing: $!";
-    print $fh encode_json \%pulls;
+    print $fh JSON::MaybeXS->new(canonical => 1, pretty => 1)->encode(\%pulls);
     close $fh;
-    system("jq -S . < $filename > $tempdir/bitbucket-pulls-sorted.json");
-    my $storePath = trim(`nix-store --add "$tempdir/bitbucket-pulls-sorted.json"`
-        or die "cannot copy path $filename to the Nix store.\n");
-    chomp $storePath;
+    my $storePath = addToStore($filename);
     my $timestamp = time;
     return { storePath => $storePath, revision => strftime "%Y%m%d%H%M%S", gmtime($timestamp) };
 }

src/lib/Hydra/Plugin/DarcsInput.pm

@@ -7,6 +7,7 @@ use Digest::SHA qw(sha256_hex);
 use File::Path;
 use Hydra::Helper::Exec;
 use Hydra::Helper::Nix;
+use IPC::Run3;
 
 sub supportedInputTypes {
     my ($self, $inputTypes) = @_;
@@ -31,7 +32,7 @@ sub fetchInput {
     my $stdout = ""; my $stderr = ""; my $res;
     if (! -d $clonePath) {
         # Clone the repository.
-        $res = run(timeout => 600,
+        $res = runCommand(timeout => 600,
                    cmd => ["darcs", "get", "--lazy", $uri, $clonePath],
                    dir => $ENV{"TMPDIR"});
         die "Error getting darcs repo at `$uri':\n$stderr" if $res->{status};
@@ -70,8 +71,11 @@ sub fetchInput {
         (system "darcs", "get", "--lazy", $clonePath, "$tmpDir/export", "--quiet",
                 "--to-match", "hash $revision") == 0
             or die "darcs export failed";
-        $revCount = `darcs changes --count --repodir $tmpDir/export`; chomp $revCount;
-        die "darcs changes --count failed" if $? != 0;
+        my ($stdout, $stderr);
+        run3(['darcs', 'changes', '--count', '--repodir', "$tmpDir/export"], \undef, \$stdout, \$stderr);
+        die "darcs changes --count failed: $stderr\n" if $? != 0;
+        $revCount = $stdout;
+        chomp $revCount;
 
         system "rm", "-rf", "$tmpDir/export/_darcs";
         $storePath = $MACHINE_LOCAL_STORE->addToStore("$tmpDir/export", 1, "sha256");

src/lib/Hydra/Plugin/EmailNotification.pm

@@ -71,7 +71,7 @@ sub buildFinished {
 
         my $to = $build->jobset->emailoverride ne "" ? $build->jobset->emailoverride : $build->maintainers;
 
-        foreach my $address (split ",", ($to // "")) {
+        foreach my $address (split /,/, ($to // "")) {
             $address = trim $address;
 
             $addresses{$address} //= { builds => [] };

src/lib/Hydra/Plugin/GitInput.pm

@@ -38,7 +38,7 @@ sub _parseValue {
         $start_options = 2;
     }
     foreach my $option (@parts[$start_options .. $#parts]) {
-        (my $key, my $value) = split('=', $option);
+        (my $key, my $value) = split(/=/, $option);
         $options->{$key} = $value;
     }
     return ($uri, $branch, $deepClone, $options);
@@ -137,8 +137,8 @@ sub fetchInput {
     my $res;
     if (! -d $clonePath) {
         # Clone everything and fetch the branch.
-        $res = run(cmd => ["git", "init", $clonePath]);
-        $res = run(cmd => ["git", "remote", "add", "origin", "--", $uri], dir => $clonePath) unless $res->{status};
+        $res = runCommand(cmd => ["git", "init", $clonePath]);
+        $res = runCommand(cmd => ["git", "remote", "add", "origin", "--", $uri], dir => $clonePath) unless $res->{status};
         die "error creating git repo in `$clonePath':\n$res->{stderr}" if $res->{status};
     }
 
@@ -146,9 +146,9 @@ sub fetchInput {
     # the remote branch for whatever the repository state is.  This command mirrors
     # only one branch of the remote repository.
     my $localBranch = _isHash($branch) ? "_hydra_tmp" : $branch;
-    $res = run(cmd => ["git", "fetch", "-fu", "origin", "+$branch:$localBranch"], dir => $clonePath,
+    $res = runCommand(cmd => ["git", "fetch", "-fu", "origin", "+$branch:$localBranch"], dir => $clonePath,
                timeout => $cfg->{timeout});
-    $res = run(cmd => ["git", "fetch", "-fu", "origin"], dir => $clonePath, timeout => $cfg->{timeout}) if $res->{status};
+    $res = runCommand(cmd => ["git", "fetch", "-fu", "origin"], dir => $clonePath, timeout => $cfg->{timeout}) if $res->{status};
     die "error fetching latest change from git repo at `$uri':\n$res->{stderr}" if $res->{status};
 
     # If deepClone is defined, then we look at the content of the repository
@@ -156,16 +156,16 @@ sub fetchInput {
     if (defined $deepClone) {
 
         # Is the target branch a topgit branch?
-        $res = run(cmd => ["git", "ls-tree", "-r", "$branch", ".topgit"], dir => $clonePath);
+        $res = runCommand(cmd => ["git", "ls-tree", "-r", "$branch", ".topgit"], dir => $clonePath);
 
         if ($res->{stdout} ne "") {
             # Checkout the branch to look at its content.
-            $res = run(cmd => ["git", "checkout", "--force", "$branch"], dir => $clonePath);
+            $res = runCommand(cmd => ["git", "checkout", "--force", "$branch"], dir => $clonePath);
             die "error checking out Git branch '$branch' at `$uri':\n$res->{stderr}" if $res->{status};
 
             # This is a TopGit branch.  Fetch all the topic branches so
             # that builders can run "tg patch" and similar.
-            $res = run(cmd => ["tg", "remote", "--populate", "origin"], dir => $clonePath, timeout => $cfg->{timeout});
+            $res = runCommand(cmd => ["tg", "remote", "--populate", "origin"], dir => $clonePath, timeout => $cfg->{timeout});
             print STDERR "warning: `tg remote --populate origin' failed:\n$res->{stderr}" if $res->{status};
         }
     }
@@ -265,7 +265,7 @@ sub getCommits {
 
     my $res = [];
     foreach my $line (split /\n/, $out) {
-        my ($revision, $author, $email, $date) = split "\t", $line;
+        my ($revision, $author, $email, $date) = split /\t/, $line;
         push @$res, { revision => $revision, author => decode("utf-8", $author), email => $email };
     }
 

src/lib/Hydra/Plugin/GiteaStatus.pm

@@ -63,9 +63,9 @@ sub common {
             my $accessToken = $self->{config}->{gitea_authorization}->{$repoOwner};
 
             my $rev = $i->revision;
-            my $domain = URI->new($i->uri)->host;
             my $host;
             unless (defined $gitea_url) {
+                my $domain = URI->new($i->uri)->host;
                 $host = "https://$domain";
             } else {
                 $host = $gitea_url->value;

src/lib/Hydra/Plugin/GithubPulls.pm

@@ -7,6 +7,7 @@ use HTTP::Request;
 use LWP::UserAgent;
 use JSON::MaybeXS;
 use Hydra::Helper::CatalystUtils;
+use Hydra::Helper::Nix;
 use File::Temp;
 use POSIX qw(strftime);
 
@@ -30,10 +31,10 @@ sub _iterate {
         $pulls->{$pull->{number}} = $pull;
     }
     # TODO Make Link header parsing more robust!!!
-    my @links = split ',', ($res->header("Link") // "");
+    my @links = split /,/, ($res->header("Link") // "");
     my $next = "";
     foreach my $link (@links) {
-        my ($url, $rel) = split ";", $link;
+        my ($url, $rel) = split /;/, $link;
         if (trim($rel) eq 'rel="next"') {
             $next = substr trim($url), 1, -1;
             last;
@@ -58,9 +59,7 @@ sub fetchInput {
     print $fh JSON->new->utf8->canonical->encode(\%pulls);
     close $fh;
 
-    my $storePath = trim(`nix-store --add "$filename"`
-        or die "cannot copy path $filename to the Nix store.\n");
-    chomp $storePath;
+    my $storePath = addToStore($filename);
     my $timestamp = time;
     return { storePath => $storePath, revision => strftime "%Y%m%d%H%M%S", gmtime($timestamp) };
 }

src/lib/Hydra/Plugin/GithubRefs.pm

@@ -7,6 +7,7 @@ use HTTP::Request;
 use LWP::UserAgent;
 use JSON::MaybeXS;
 use Hydra::Helper::CatalystUtils;
+use Hydra::Helper::Nix;
 use File::Temp;
 use POSIX qw(strftime);
 
@@ -17,9 +18,8 @@ tags) from GitHub following a certain naming scheme
 
 =head1 DESCRIPTION
 
-This plugin reads the list of branches or tags using GitHub's REST API. The name
-of the reference must follow a particular prefix. This list is stored in the
-nix-store and used as an input to declarative jobsets.
+This plugin reads the list of branches or tags using GitHub's REST API. This
+list is stored in the nix-store and used as an input to declarative jobsets.
 
 =head1 CONFIGURATION
 
@@ -33,7 +33,7 @@ The declarative project C<spec.json> file must contains an input such as
 
    "pulls": {
      "type": "github_refs",
-     "value": "[owner] [repo] heads|tags - [prefix]",
+     "value": "[owner] [repo] [type] - [prefix]",
      "emailresponsible": false
    }
 
@@ -41,12 +41,11 @@ In the above snippet, C<[owner]> is the repository owner and C<[repo]> is the
 repository name. Also note a literal C<->, which is placed there for the future
 use.
 
-C<heads|tags> denotes that one of these two is allowed, that is, the third
-position should hold either the C<heads> or the C<tags> keyword. In case of the former, the plugin
-will fetch all branches, while in case of the latter, it will fetch the tags.
+C<[type]> is the type of ref to list. Typical values are "heads", "tags", and
+"pull". "." will include all types.
 
 C<prefix> denotes the prefix the reference name must start with, in order to be
-included.
+included. "." will include all references.
 
 For example, C<"value": "nixos hydra heads - release/"> refers to
 L<https://github.com/nixos/hydra> repository, and will fetch all branches that
@@ -84,10 +83,10 @@ sub _iterate {
         $refs->{$ref_name} = $ref;
     }
     # TODO Make Link header parsing more robust!!!
-    my @links = split ',', $res->header("Link");
+    my @links = split /,/, $res->header("Link");
     my $next = "";
     foreach my $link (@links) {
-        my ($url, $rel) = split ";", $link;
+        my ($url, $rel) = split /;/, $link;
         if (trim($rel) eq 'rel="next"') {
             $next = substr trim($url), 1, -1;
             last;
@@ -101,8 +100,6 @@ sub fetchInput {
     return undef if $input_type ne "github_refs";
 
     my ($owner, $repo, $type, $fut, $prefix) = split ' ', $value;
-    die "type field is neither 'heads' nor 'tags', but '$type'"
-        unless $type eq 'heads' or $type eq 'tags';
 
     my $auth = $self->{config}->{github_authorization}->{$owner};
     my $githubEndpoint = $self->{config}->{github_endpoint} // "https://api.github.com";
@@ -110,14 +107,11 @@ sub fetchInput {
     my $ua = LWP::UserAgent->new();
     _iterate("$githubEndpoint/repos/$owner/$repo/git/matching-refs/$type/$prefix?per_page=100", $auth, \%refs, $ua);
     my $tempdir = File::Temp->newdir("github-refs" . "XXXXX", TMPDIR => 1);
-    my $filename = "$tempdir/github-refs.json";
+    my $filename = "$tempdir/github-refs-sorted.json";
     open(my $fh, ">", $filename) or die "Cannot open $filename for writing: $!";
-    print $fh encode_json \%refs;
+    print $fh JSON::MaybeXS->new(canonical => 1, pretty => 1)->encode(\%refs);
     close $fh;
-    system("jq -S . < $filename > $tempdir/github-refs-sorted.json");
-    my $storePath = trim(qx{nix-store --add "$tempdir/github-refs-sorted.json"}
-        or die "cannot copy path $filename to the Nix store.\n");
-    chomp $storePath;
+    my $storePath = addToStore($filename);
     my $timestamp = time;
     return { storePath => $storePath, revision => strftime "%Y%m%d%H%M%S", gmtime($timestamp) };
 }

src/lib/Hydra/Plugin/GitlabPulls.pm

@@ -21,6 +21,7 @@ use HTTP::Request;
 use LWP::UserAgent;
 use JSON::MaybeXS;
 use Hydra::Helper::CatalystUtils;
+use Hydra::Helper::Nix;
 use File::Temp;
 use POSIX qw(strftime);
 
@@ -48,10 +49,10 @@ sub _iterate {
         $pulls->{$pull->{iid}} = $pull;
     }
     # TODO Make Link header parsing more robust!!!
-    my @links = split ',', $res->header("Link");
+    my @links = split /,/, $res->header("Link");
     my $next = "";
     foreach my $link (@links) {
-        my ($url, $rel) = split ";", $link;
+        my ($url, $rel) = split /;/, $link;
         if (trim($rel) eq 'rel="next"') {
             $next = substr trim($url), 1, -1;
             last;
@@ -81,14 +82,11 @@ sub fetchInput {
     _iterate($url, $baseUrl, \%pulls, $ua, $target_repo_url);
 
     my $tempdir = File::Temp->newdir("gitlab-pulls" . "XXXXX", TMPDIR => 1);
-    my $filename = "$tempdir/gitlab-pulls.json";
+    my $filename = "$tempdir/gitlab-pulls-sorted.json";
     open(my $fh, ">", $filename) or die "Cannot open $filename for writing: $!";
-    print $fh encode_json \%pulls;
+    print $fh JSON::MaybeXS->new(canonical => 1, pretty => 1, utf8 => 1)->encode(\%pulls);
     close $fh;
-    system("jq -S . < $filename > $tempdir/gitlab-pulls-sorted.json");
-    my $storePath = trim(`nix-store --add "$tempdir/gitlab-pulls-sorted.json"`
-        or die "cannot copy path $filename to the Nix store.\n");
-    chomp $storePath;
+    my $storePath = addToStore($filename);
     my $timestamp = time;
     return { storePath => $storePath, revision => strftime "%Y%m%d%H%M%S", gmtime($timestamp) };
 }

src/lib/Hydra/Plugin/MercurialInput.pm

@@ -126,7 +126,7 @@ sub getCommits {
     my $res = [];
     foreach my $line (split /\n/, $out) {
         if ($line ne "") {
-            my ($revision, $author, $email) = split "\t", $line;
+            my ($revision, $author, $email) = split /\t/, $line;
             push @$res, { revision => $revision, author => $author, email => $email };
         }
     }

src/lib/Hydra/Plugin/PathInput.pm

@@ -5,25 +5,38 @@ use warnings;
 use parent 'Hydra::Plugin';
 use POSIX qw(strftime);
 use Hydra::Helper::Nix;
+use IPC::Run3;
 
 sub supportedInputTypes {
     my ($self, $inputTypes) = @_;
     $inputTypes->{'path'} = 'Local path or URL';
 }
 
+sub _parseValue {
+    # The input is a local path or URL, optionally followed by a
+    # time period specified in seconds.
+    my ($config, $value) = @_;
+    my @parts = split ' ', $value;
+    (my $uri, my $freq) = @parts;
+    # By default don't check a path more often than every 30 seconds,
+    # but the second path argument can change that value or the global
+    # path_input_cache_validity_seconds configuration, in that order.
+    my $timeout = defined $freq ? $freq : ($config->{path_input_cache_validity_seconds} // 30);
+
+    return ($uri, $timeout);
+}
+
 sub fetchInput {
     my ($self, $type, $name, $value) = @_;
 
     return undef if $type ne "path";
 
-    my $uri = $value;
+    my ($uri, $timeout) = _parseValue($self->{config}, $value);
 
     my $timestamp = time;
     my $sha256;
     my $storePath;
 
-    my $timeout = $self->{config}->{path_input_cache_validity_seconds} // 30;
-
     # Some simple caching: don't check a path more than once every N seconds.
     (my $cachedInput) = $self->{db}->resultset('CachedPathInputs')->search(
         {srcpath => $uri, lastseen => {">", $timestamp - $timeout}},
@@ -37,11 +50,16 @@ sub fetchInput {
 
         print STDERR "copying input ", $name, " from $uri\n";
         if ( $uri =~ /^\// ) {
-            $storePath = `nix-store --add "$uri"`
-                or die "cannot copy path $uri to the Nix store.\n";
+            $storePath = addToStore($uri);
         } else {
-            $storePath = `PRINT_PATH=1 nix-prefetch-url "$uri" | tail -n 1`
-                or die "cannot fetch $uri to the Nix store.\n";
+            # Run nix-prefetch-url with PRINT_PATH=1
+            my ($stdout, $stderr);
+            local $ENV{PRINT_PATH} = 1;
+            run3(['nix-prefetch-url', $uri], \undef, \$stdout, \$stderr);
+            die "cannot fetch $uri to the Nix store: $stderr\n" if $? != 0;
+            # Get the last line (which is the store path)
+            my @output_lines = split /\n/, $stdout;
+            $storePath = $output_lines[-1] if @output_lines;
         }
         chomp $storePath;
 

src/lib/Hydra/Plugin/RunCommand.pm

@@ -85,7 +85,7 @@ sub isBuildEligibleForDynamicRunCommand {
 sub configSectionMatches {
     my ($name, $project, $jobset, $job) = @_;
 
-    my @elems = split ':', $name;
+    my @elems = split /:/, $name;
 
     die "invalid section name '$name'\n" if scalar(@elems) > 3;
 

src/lib/Hydra/Plugin/S3Backup.pm

@@ -7,6 +7,8 @@ use File::Temp;
 use File::Basename;
 use Fcntl;
 use IO::File;
+use IPC::Run qw(run);
+use IPC::Run3;
 use Net::Amazon::S3;
 use Net::Amazon::S3::Client;
 use Digest::SHA;
@@ -27,11 +29,11 @@ my %compressors = ();
 $compressors{"none"} = "";
 
 if (defined($Nix::Config::bzip2)) {
-    $compressors{"bzip2"} = "| $Nix::Config::bzip2",
+    $compressors{"bzip2"} = "$Nix::Config::bzip2",
 }
 
 if (defined($Nix::Config::xz)) {
-    $compressors{"xz"} = "| $Nix::Config::xz",
+    $compressors{"xz"} = "$Nix::Config::xz",
 }
 
 my $lockfile = Hydra::Model::DB::getHydraPath . "/.hydra-s3backup.lock";
@@ -111,7 +113,16 @@ sub buildFinished {
             }
             next unless @incomplete_buckets;
             my $compressor = $compressors{$compression_type};
-            system("$Nix::Config::binDir/nix-store --dump $path $compressor > $tempdir/nar") == 0 or die;
+            if ($compressor eq "") {
+                # No compression - use IPC::Run3 to redirect stdout to file
+                run3(["$Nix::Config::binDir/nix-store", "--dump", $path],
+                     \undef, "$tempdir/nar", \undef) or die "nix-store --dump failed: $!";
+            } else {
+                # With compression - use IPC::Run to pipe nix-store output to compressor
+                my $dump_cmd = ["$Nix::Config::binDir/nix-store", "--dump", $path];
+                my $compress_cmd = [$compressor];
+                run($dump_cmd, '|', $compress_cmd, '>', "$tempdir/nar") or die "Pipeline failed: $?";
+            }
             my $digest = Digest::SHA->new(256);
             $digest->addfile("$tempdir/nar");
             my $file_hash = $digest->hexdigest;

src/lib/Hydra/Schema/Result/Builds.pm

@@ -563,7 +563,7 @@ makeQueries('', "");
 makeQueries('ForProject', "and jobset_id in (select id from jobsets j where j.project = ?)");
 makeQueries('ForJobset', "and jobset_id = ?");
 makeQueries('ForJob', "and jobset_id = ? and job = ?");
-makeQueries('ForJobName', "and jobset_id = (select id from jobsets j where j.name = ?) and job = ?");
+makeQueries('ForJobName', "and jobset_id = (select id from jobsets j where j.project = ? and j.name = ?) and job = ?");
 
 sub as_json {
   my ($self) = @_;

src/lib/Hydra/Schema/Result/JobsetEvalInputs.pm

@@ -66,6 +66,11 @@ __PACKAGE__->table("jobsetevalinputs");
   data_type: 'text'
   is_nullable: 1
 
+=head2 shortRevLength
+
+  data_type: 'number'
+  is_nullable: 1
+
 =head2 value
 
   data_type: 'text'
@@ -102,6 +107,8 @@ __PACKAGE__->add_columns(
   { data_type => "text", is_nullable => 1 },
   "revision",
   { data_type => "text", is_nullable => 1 },
+  "shortRevLength",
+  { data_type => "integer", is_nullable => 1 },
   "value",
   { data_type => "text", is_nullable => 1 },
   "dependency",
@@ -183,4 +190,28 @@ sub json_hint {
     return \%hint;
 }
 
+# Revision to be rendered by the frontend
+sub frontend_revision() {
+    my ($self) = @_;
+    my $type = $self->get_column('type');
+    if ($type eq 'svn' or $type eq 'svn-checkout' or $type eq 'bzr' or $type eq 'bzr-checkout') {
+        return 'r' . $self->get_column('revision');
+    } elsif ($type eq 'git') {
+        # Find the longest revision length of this URI
+        my $schema = $self->result_source->schema;
+        my $maxLength = $schema
+            ->resultset('JobsetEvalInputs')
+            ->search({ uri => $self->get_column('uri')})
+            ->get_column('shortRevLength')
+            ->max;
+        # Fall back to a fixed value if there was no value
+        return substr($self->get_column('revision'), 0, $maxLength || 12);
+    } elsif ($type eq 'bzr') {
+        return substr($self->get_column('revision'), 0, 12);
+    } else {
+        return $self->get_column('revision');
+    }
+
+}
+
 1;

src/lib/Perl/Critic/Policy/Hydra/ProhibitShellInvokingSystemCalls.pm

@@ -0,0 +1,103 @@
+package Perl::Critic::Policy::Hydra::ProhibitShellInvokingSystemCalls;
+
+use strict;
+use warnings;
+use constant;
+
+use Perl::Critic::Utils qw{ :severities :classification :ppi };
+use base 'Perl::Critic::Policy';
+
+our $VERSION = '1.000';
+
+use constant DESC => q{Shell-invoking system calls are prohibited};
+use constant EXPL => q{Use list form system() or IPC::Run3 for better security. String form invokes shell and is vulnerable to injection};
+
+sub supported_parameters { return ()                         }
+sub default_severity     { return $SEVERITY_HIGHEST         }
+sub default_themes       { return qw( hydra security )       }
+sub applies_to           { return 'PPI::Token::Word'         }
+
+sub violates {
+    my ( $self, $elem, undef ) = @_;
+
+    # Only check system() and exec() calls
+    return () unless $elem->content() =~ /^(system|exec)$/;
+    return () unless is_function_call($elem);
+
+    # Skip method calls (->system or ->exec)
+    my $prev = $elem->sprevious_sibling();
+    return () if $prev && $prev->isa('PPI::Token::Operator') && $prev->content() eq '->';
+
+    # Get first argument after function name, skipping whitespace
+    my $args = $elem->snext_sibling();
+    return () unless $args;
+    $args = $args->snext_sibling() while $args && $args->isa('PPI::Token::Whitespace');
+
+    # For parenthesized calls, look inside
+    my $search_elem = $args;
+    if ($args && $args->isa('PPI::Structure::List')) {
+        $search_elem = $args->schild(0);
+        return () unless $search_elem;
+    }
+
+    # Check if it's list form (has comma)
+    my $current = $search_elem;
+    if ($current && $current->isa('PPI::Statement')) {
+        # Look through statement children
+        for my $child ($current->schildren()) {
+            return () if $child->isa('PPI::Token::Operator') && $child->content() eq ',';
+        }
+    } else {
+        # Look through siblings for non-parenthesized calls
+        while ($current) {
+            return () if $current->isa('PPI::Token::Operator') && $current->content() eq ',';
+            last if $current->isa('PPI::Token::Structure') && $current->content() eq ';';
+            $current = $current->snext_sibling();
+        }
+    }
+
+    # Check if first arg is array variable
+    my $first = $search_elem->isa('PPI::Statement') ?
+                $search_elem->schild(0) : $search_elem;
+    return () if $first && $first->isa('PPI::Token::Symbol') && $first->content() =~ /^[@]/;
+
+    # Check if it's a safe single-word command
+    if ($first && $first->isa('PPI::Token::Quote')) {
+        my $content = $first->string();
+        return () if $content =~ /^[a-zA-Z0-9_\-\.\/]+$/;
+    }
+
+    return $self->violation( DESC, EXPL, $elem );
+}
+
+1;
+
+__END__
+
+=pod
+
+=head1 NAME
+
+Perl::Critic::Policy::Hydra::ProhibitShellInvokingSystemCalls - Prohibit shell-invoking system() and exec() calls
+
+=head1 DESCRIPTION
+
+This policy prohibits the use of C<system()> and C<exec()> functions when called with a single string argument,
+which invokes the shell and is vulnerable to injection attacks.
+
+The list form (e.g., C<system('ls', '-la')>) is allowed as it executes directly without shell interpretation.
+For better error handling and output capture, consider using C<IPC::Run3>.
+
+=head1 CONFIGURATION
+
+This Policy is not configurable except for the standard options.
+
+=head1 AUTHOR
+
+Hydra Development Team
+
+=head1 COPYRIGHT
+
+Copyright (c) 2025 Hydra Development Team. All rights reserved.
+
+=cut

src/root/all.tt

@@ -11,7 +11,7 @@ titleHTML="Latest builds" _
      "") %]
 [% PROCESS common.tt %]
 
-<p>Showing builds [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1) * resultsPerPage + builds.size %] out of [% total %] in order of descending finish time.</p>
+<p>Showing builds [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1) * resultsPerPage + builds.size %] out of [% HTML.escape(total) %] in order of descending finish time.</p>
 
 [% INCLUDE renderBuildList hideProjectName=project hideJobsetName=jobset hideJobName=job %]
 [% INCLUDE renderPager %]

src/root/build.tt

@@ -37,7 +37,7 @@ END;
              seen.${step.drvpath} = 1;
              log = c.uri_for('/build' build.id 'nixlog' step.stepnr); %]
           <tr>
-            <td>[% step.stepnr %]</td>
+            <td>[% HTML.escape(step.stepnr) %]</td>
             <td>
               [% IF step.type == 0 %]
                 Build of <tt>[% INCLUDE renderOutputs outputs=step.buildstepoutputs %]</tt>
@@ -86,7 +86,7 @@ END;
               [% ELSIF step.status == 11 %]
                 <span class="error">Output limit exceeded</span>
               [% ELSIF step.status == 12 %]
-                <span class="error">Non-determinism detected</span> [% IF step.timesbuilt %] after [% step.timesbuilt %] times[% END %]
+                <span class="error">Non-determinism detected</span> [% IF step.timesbuilt %] after [% HTML.escape(step.timesbuilt) %] times[% END %]
               [% ELSIF step.errormsg %]
                 <span class="error">Failed</span>: <em>[% HTML.escape(step.errormsg) %]</em>
               [% ELSE %]
@@ -112,16 +112,16 @@ END;
       [% IF c.user_exists %]
         [% IF available %]
           [% IF build.keep %]
-            <a class="dropdown-item" href="[% c.uri_for('/build' build.id 'keep' 0) %]">Unkeep</a>
+            <a class="dropdown-item" [% HTML.attributes(href => c.uri_for('/build' build.id 'keep' 0)) %]>Unkeep</a>
           [% ELSE %]
-            <a class="dropdown-item" href="[% c.uri_for('/build' build.id 'keep' 1) %]">Keep</a>
+            <a class="dropdown-item" [% HTML.attributes(href => c.uri_for('/build' build.id 'keep' 1)) %]>Keep</a>
           [% END %]
         [% END %]
         [% IF build.finished %]
-          <a class="dropdown-item" href="[% c.uri_for('/build' build.id 'restart') %]">Restart</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for('/build' build.id 'restart')) %]>Restart</a>
         [% ELSE %]
-          <a class="dropdown-item" href="[% c.uri_for('/build' build.id 'cancel') %]">Cancel</a>
-          <a class="dropdown-item" href="[% c.uri_for('/build' build.id 'bump') %]">Bump up</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for('/build' build.id 'cancel')) %]>Cancel</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for('/build' build.id 'bump')) %]>Bump up</a>
         [% END %]
       [% END %]
     </div>
@@ -132,7 +132,7 @@ END;
   <li class="nav-item"><a class="nav-link" href="#tabs-details" data-toggle="tab">Details</a></li>
   <li class="nav-item"><a class="nav-link" href="#tabs-buildinputs" data-toggle="tab">Inputs</a></li>
   [% IF steps.size() > 0 %]<li class="nav-item"><a class="nav-link" href="#tabs-buildsteps" data-toggle="tab">Build Steps</a></li>[% END %]
-  [% IF build.dependents %]<li class="nav-item"><a class="nav-link" href="#tabs-usedby" data-toggle="tab">Used By</a></li>[% END%]
+  [% IF build.dependents %]<li class="nav-item"><a class="nav-link" href="#tabs-usedby" data-toggle="tab">Used By</a></li>[% END %]
   [% IF drvAvailable %]<li class="nav-item"><a class="nav-link" href="#tabs-build-deps" data-toggle="tab">Build Dependencies</a></li>[% END %]
   [% IF localStore && available %]<li class="nav-item"><a class="nav-link" href="#tabs-runtime-deps" data-toggle="tab">Runtime Dependencies</a></li>[% END %]
   [% IF runcommandlogProblem || runcommandlogs.size() > 0 %]<li class="nav-item"><a class="nav-link" href="#tabs-runcommandlogs" data-toggle="tab">RunCommand Logs[% IF runcommandlogProblem %] <span class="badge badge-warning">Disabled</span>[% END %]</a></li>[% END %]
@@ -151,7 +151,7 @@ END;
           <table class="info-table">
             <tr>
               <th>Build ID:</th>
-              <td>[% build.id %]</td>
+              <td>[% HTML.escape(build.id) %]</td>
             </tr>
             <tr>
               <th>Status:</th>
@@ -168,9 +168,9 @@ END;
                      END;
                 %];
                   [%+ IF nrFinished == nrConstituents && nrFailedConstituents == 0 %]
-                    all [% nrConstituents %] constituent builds succeeded
+                    all [% HTML.escape(nrConstituents) %] constituent builds succeeded
                   [% ELSE %]
-                    [% nrFailedConstituents %] out of [% nrConstituents %] constituent builds failed
+                    [% HTML.escape(nrFailedConstituents) %] out of [% HTML.escape(nrConstituents) %] constituent builds failed
                     [% IF nrFinished < nrConstituents %]
                       ([% nrConstituents - nrFinished %] still pending)
                     [% END %]
@@ -180,25 +180,25 @@ END;
             </tr>
             <tr>
               <th>System:</th>
-              <td><tt>[% build.system %]</tt></td>
+              <td><tt>[% build.system | html %]</tt></td>
             </tr>
             [% IF build.releasename %]
               <tr>
                 <th>Release name:</th>
-                <td><tt>[% HTML.escape(build.releasename) %]</tt></td>
+                <td><tt>[% build.releasename | html %]</tt></td>
               </tr>
             [% ELSE %]
               <tr>
                 <th>Nix name:</th>
-                <td><tt>[% build.nixname %]</tt></td>
+                <td><tt>[% build.nixname | html %]</tt></td>
               </tr>
             [% END %]
             [% IF eval %]
               <tr>
                 <th>Part of:</th>
                 <td>
-                  <a href="[% c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id]) %]">evaluation [% eval.id %]</a>
-                  [% IF nrEvals > 1 +%] (and <a href="[% c.uri_for('/build' build.id 'evals') %]">[% nrEvals - 1 %] others</a>)[% END %]
+                  <a [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id])) %]>evaluation [% HTML.escape(eval.id) %]</a>
+                  [% IF nrEvals > 1 +%] (and <a [% HTML.attributes(href => c.uri_for('/build' build.id 'evals')) %]>[% nrEvals - 1 %] others</a>)[% END %]
                 </td>
               </tr>
             [% END %]
@@ -226,9 +226,9 @@ END;
                 <th>Logfile:</th>
                 <td>
                   [% actualLog = cachedBuildStep ? c.uri_for('/build' cachedBuild.id 'nixlog' cachedBuildStep.stepnr) : c.uri_for('/build' build.id 'log') %]
-                  <a class="btn btn-secondary btn-sm" href="[%actualLog%]">pretty</a>
-                  <a class="btn btn-secondary btn-sm" href="[%actualLog%]/raw">raw</a>
-                  <a class="btn btn-secondary btn-sm" href="[%actualLog%]/tail">tail</a>
+                  <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => actualLog) %]>pretty</a>
+                  <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => actualLog _ "/raw") %]>raw</a>
+                  <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => actualLog _ "/tail") %]>tail</a>
                 </td>
               </tr>
             [% END %]
@@ -336,12 +336,12 @@ END;
       [% IF eval.nixexprinput %]
         <tr>
           <th>Nix expression:</th>
-          <td>file <tt>[% HTML.escape(eval.nixexprpath) %]</tt> in input <tt>[% HTML.escape(eval.nixexprinput) %]</tt></td>
+          <td>file <tt>[% eval.nixexprpath | html %]</tt> in input <tt>[% eval.nixexprinput | html %]</tt></td>
         </tr>
       [% END %]
       <tr>
         <th>Nix name:</th>
-        <td><tt>[% build.nixname %]</tt></td>
+        <td><tt>[% build.nixname | html %]</tt></td>
       </tr>
       <tr>
         <th>Short description:</th>
@@ -361,11 +361,11 @@ END;
       </tr>
       <tr>
         <th>System:</th>
-        <td><tt>[% build.system %]</tt></td>
+        <td><tt>[% build.system | html %]</tt></td>
       </tr>
       <tr>
         <th>Derivation store path:</th>
-        <td><tt>[% build.drvpath %]</tt></td>
+        <td><tt>[% build.drvpath | html %]</tt></td>
       </tr>
       <tr>
         <th>Output store paths:</th>
@@ -376,14 +376,14 @@ END;
         <tr>
           <th>Closure size:</th>
           <td>[% mibs(build.closuresize / (1024 * 1024)) %] MiB
-            (<a href="[%chartsURL%]">history</a>)</td>
+            (<a [% HTML.attributes(href => chartsURL) %]>history</a>)</td>
         </tr>
       [% END %]
       [% IF build.finished && build.closuresize %]
         <tr>
           <th>Output size:</th>
           <td>[% mibs(build.size / (1024 * 1024)) %] MiB
-            (<a href="[%chartsURL%]">history</a>)</td>
+            (<a [% HTML.attributes(href => chartsURL) %]>history</a>)</td>
         </tr>
       [% END %]
       [% IF build.finished && build.buildproducts %]
@@ -412,9 +412,9 @@ END;
         <tbody>
           [% FOREACH metric IN build.buildmetrics %]
             <tr>
-              <td><tt><a class="row-link" [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'metric' metric.name)) %]">[%HTML.escape(metric.name)%]</a></tt></td>
-              <td style="text-align: right">[%metric.value%]</td>
-              <td>[%metric.unit%]</td>
+              <td><tt><a class="row-link" [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'metric' metric.name)) %]">[% metric.name | html %]</a></tt></td>
+              <td style="text-align: right">[% HTML.escape(metric.value) %]</td>
+              <td>[% HTML.escape(metric.unit) %]</td>
             </tr>
           [% END %]
         </tbody>
@@ -456,8 +456,8 @@ END;
           [% FOREACH input IN build.dependents %]
             <tr>
               <td>[% INCLUDE renderFullBuildLink build=input.build %]</td>
-              <td><tt>[% input.name %]</tt></td>
-              <td><tt>[% input.build.system %]</tt></td>
+              <td><tt>[% input.name | html %]</tt></td>
+              <td><tt>[% input.build.system | html %]</tt></td>
               <td>[% INCLUDE renderDateTime timestamp = input.build.timestamp %]</td>
             </tr>
           [% END %]
@@ -484,7 +484,7 @@ END;
         [% ELSIF runcommandlogProblem == "disabled-jobset" %]
           This jobset does not enable Dynamic RunCommand support.
         [% ELSE %]
-          Dynamic RunCommand is not enabled: [% runcommandlogProblem %].
+          Dynamic RunCommand is not enabled: [% HTML.escape(runcommandlogProblem) %].
         [% END %]
       </div>
     [% END %]
@@ -503,18 +503,18 @@ END;
           </div>
 
           <div class="d-flex flex-column mr-auto align-self-center">
-            <div><tt>[% runcommandlog.command | html%]</tt></div>
+            <div><tt>[% runcommandlog.command | html %]</tt></div>
             <div>
               [% IF not runcommandlog.is_running() %]
                 [% IF runcommandlog.did_fail_with_signal() %]
-                  Exit signal: [% runcommandlog.signal %]
+                  Exit signal: [% runcommandlog.signal | html %]
                   [% IF runcommandlog.core_dumped %]
                     (Core Dumped)
                   [% END %]
                 [% ELSIF runcommandlog.did_fail_with_exec_error() %]
-                  Exec error: [% runcommandlog.error_number %]
+                  Exec error: [% runcommandlog.error_number | html %]
                 [% ELSIF not runcommandlog.did_succeed() %]
-                  Exit code: [% runcommandlog.exit_code %]
+                  Exit code: [% runcommandlog.exit_code | html %]
                 [% END %]
               [% END %]
             </div>
@@ -532,9 +532,9 @@ END;
                 [% IF runcommandlog.uuid != undef %]
                   [% runLog = c.uri_for('/build', build.id, 'runcommandlog', runcommandlog.uuid) %]
                   <div>
-                    <a class="btn btn-secondary btn-sm" href="[% runLog %]">pretty</a>
-                    <a class="btn btn-secondary btn-sm" href="[% runLog %]/raw">raw</a>
-                    <a class="btn btn-secondary btn-sm" href="[% runLog %]/tail">tail</a>
+                    <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => runLog) %]>pretty</a>
+                    <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => runLog) %]/raw">raw</a>
+                    <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => runLog) %]/tail">tail</a>
                   </div>
                 [% END %]
               </div>
@@ -568,7 +568,7 @@ END;
           running the following command:</p>
 
 <div class="card bg-light"><div class="card-body p-2"><code>
-<span class="shell-prompt"># </span>nix build [% HTML.escape(eval.flake) %]#hydraJobs.[% HTML.escape(job) %]
+<span class="shell-prompt"># </span>nix build '[% HTML.escape(eval.flake) %]#hydraJobs.[% HTML.escape(job) %]'
 </code></div></div>
 
         [% ELSE %]

src/root/channel-contents.tt

@@ -7,7 +7,7 @@ href="http://nixos.org/">Nix package manager</a>.  If you have Nix
 installed, you can subscribe to this channel by once executing</p>
 
 <div class="card bg-light"><div class="card-body"><pre>
-<span class="shell-prompt">$ </span>nix-channel --add [% curUri +%]
+<span class="shell-prompt">$ </span>nix-channel --add [% HTML.escape(curUri) +%]
 <span class="shell-prompt">$ </span>nix-channel --update
 </pre></div></div>
 
@@ -49,9 +49,9 @@ installed, you can subscribe to this channel by once executing</p>
       [% b = pkg.build %]
 
       <tr>
-        <td><a href="[% c.uri_for('/build' b.id) %]">[% b.id %]</a></td>
-        <td><tt>[% b.get_column('releasename') || b.nixname %]</tt></td>
-        <td><tt>[% b.system %]</tt></td>
+        <td><a [% HTML.attributes(href => c.uri_for('/build' b.id)) %]>[% HTML.escape(b.id) %]</a></td>
+        <td><tt>[% b.get_column('releasename') || b.nixname | html %]</tt></td>
+        <td><tt>[% b.system | html %]</tt></td>
         <td>
           [% IF b.homepage %]
             <a [% HTML.attributes(href => b.homepage) %]>[% HTML.escape(b.description) %]</a>

src/root/common.tt

@@ -55,17 +55,17 @@ BLOCK renderRelativeDate %]
 [% END;
 
 BLOCK renderProjectName %]
-<a [% IF inRow %]class="row-link"[% END %] href="[% c.uri_for('/project' project) %]"><tt>[% project %]</tt></a>
+<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/project' project)) %]><tt>[% project | html %]</tt></a>
 [% END;
 
 
 BLOCK renderJobsetName %]
-<a [% IF inRow %]class="row-link"[% END %] href="[% c.uri_for('/jobset' project jobset) %]"><tt>[% jobset %]</tt></a>
+<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/jobset' project jobset)) %]><tt>[% jobset | html %]</tt></a>
 [% END;
 
 
 BLOCK renderJobName %]
-<a [% IF inRow %]class="row-link"[% END %] href="[% c.uri_for('/job' project jobset job) %]">[% job %]</a>
+<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => c.uri_for('/job' project jobset job)) %]>[% job | html %]</a>
 [% END;
 
 
@@ -98,7 +98,7 @@ BLOCK renderDrvInfo;
     .substr(0, -4); # strip `.drv`
   IF drvname != releasename;
     IF step.type == 0; action = "Build"; ELSE; action = "Substitution"; END;
-    IF drvname; %]<em> ([% action %] of [% drvname %])</em>[% END;
+    IF drvname; %]<em> ([% HTML.escape(action) %] of [% HTML.escape(drvname) %])</em>[% END;
   END;
 END;
 
@@ -140,25 +140,25 @@ BLOCK renderBuildListBody;
       [% IF showSchedulingInfo %]
         <td>[% IF busy %]<span class="badge badge-success">Started</span>[% ELSE %]<span class="badge badge-secondary">Queued</span>[% END %]</td>
       [% END %]
-      <td><a class="row-link" href="[% link %]">[% build.id %]</a></td>
+      <td><a class="row-link" [% HTML.attributes(href => link) %]>[% HTML.escape(build.id) %]</a></td>
       [% IF !hideJobName %]
         <td>
-          <a href="[%link%]">[% IF !hideJobsetName %][%build.jobset.get_column("project")%]:[%build.jobset.get_column("name")%]:[% END %][%build.get_column("job")%]</a>
+          <a [% HTML.attributes(href => link) %]>[% IF !hideJobsetName %][% HTML.escape(build.jobset.get_column("project")) %]:[% HTML.escape(build.jobset.get_column("name")) %]:[% END %][% HTML.escape(build.get_column("job")) %]</a>
           [% IF showStepName %]
             [% INCLUDE renderDrvInfo step=build.buildsteps releasename=build.nixname %]
           [% END %]
         </td>
       [% END %]
       <td class="nowrap">[% t = showSchedulingInfo ? build.timestamp : build.stoptime; IF t; INCLUDE renderRelativeDate timestamp=(showSchedulingInfo ? build.timestamp : build.stoptime); ELSE; "-"; END %]</td>
-      <td>[% !showSchedulingInfo and build.get_column('releasename') ? build.get_column('releasename') : build.nixname %]</td>
-      <td class="nowrap"><tt>[% build.system %]</tt></td>
+      <td>[% !showSchedulingInfo and build.get_column('releasename') ? HTML.escape(build.get_column('releasename')) : HTML.escape(build.nixname) %]</td>
+      <td class="nowrap"><tt>[% build.system | html %]</tt></td>
       [% IF showDescription %]
-        <td>[% build.description %]</td>
+        <td>[% HTML.escape(build.description) %]</td>
       [% END %]
     </tr>
   [% END;
   IF linkToAll %]
-    <tr><td class="centered" colspan="5"><a href="[% linkToAll %]"><em>More...</em></a></td></tr>
+    <tr><td class="centered" colspan="5"><a [% HTML.attributes(href => linkToAll) %]><em>More...</em></a></td></tr>
   [% END;
 END;
 
@@ -176,11 +176,11 @@ BLOCK renderBuildList;
 END;
 
 
-BLOCK renderLink %]<a href="[% uri %]">[% title %]</a>[% END;
+BLOCK renderLink %]<a [% HTML.attributes(href => uri) %]>[% HTML.escape(title) %]</a>[% END;
 
 
 BLOCK maybeLink;
-  IF uri %]<a [% HTML.attributes(href => uri, class => class); IF confirmmsg +%] onclick="javascript:return confirm('[% confirmmsg %]')"[% END %]>[% content %]</a>[% ELSE; content; END;
+  IF uri %]<a [% HTML.attributes(href => uri, class => class); IF confirmmsg +%] onclick="javascript:return confirm('[% confirmmsg %]')"[% END %]>[% HTML.escape(content) %]</a>[% ELSE; HTML.escape(content); END;
 END;
 
 
@@ -192,7 +192,7 @@ BLOCK renderSelection;
           <label class="radio inline">
             <input type="radio" [% HTML.attributes(id => param, name => param, value => name) %]
               [% IF name == curValue; "checked='1'"; END %]>
-              [% options.$name %]
+              [% HTML.escape(options.$name) %]
             </input>
           </label>
         [% END %]
@@ -200,7 +200,7 @@ BLOCK renderSelection;
     [% ELSE %]
       <select class="custom-select" [% HTML.attributes(id => param, name => param) %]>
         [% FOREACH name IN options.keys.sort %]
-          <option [% IF name == curValue; "selected='selected'"; END; " "; HTML.attributes(value => name) %]>[% options.$name %]</option>
+          <option [% IF name == curValue; "selected='selected'"; END; " "; HTML.attributes(value => name) %]>[% HTML.escape(options.$name) %]</option>
         [% END %]
       </select>
     [% END;
@@ -216,12 +216,12 @@ BLOCK editString; %]
 
 
 BLOCK renderFullBuildLink;
-  INCLUDE renderFullJobNameOfBuild build=build %] <a href="[% c.uri_for('/build' build.id) %]">build [% build.id %]</a>[%
+  INCLUDE renderFullJobNameOfBuild build=build %] <a [% HTML.attributes(href => c.uri_for('/build' build.id)) %]>build [% HTML.escape(build.id) %]</a>[%
 END;
 
 
 BLOCK renderBuildIdLink; %]
-<a href="[% c.uri_for('/build' id) %]">build [% id %]</a>
+<a [% HTML.attributes(href => c.uri_for('/build' id)) %]>build [% HTML.escape(id) %]</a>
 [% END;
 
 
@@ -320,7 +320,7 @@ END;
 
 BLOCK renderShortInputValue;
   IF input.type == "build" || input.type == "sysbuild" %]
-    <a href="[% c.uri_for('/build' input.dependency.id) %]">[% input.dependency.id %]</a>
+    <a [% HTML.attributes(href => c.uri_for('/build' input.dependency.id)) %]>[% HTML.escape(input.dependency.id) %]</a>
   [% ELSIF input.type == "string" %]
     <tt>"[% HTML.escape(input.value) %]"</tt>
   [% ELSIF input.type == "nix" || input.type == "boolean" %]
@@ -338,7 +338,7 @@ BLOCK renderDiffUri;
     url = bi1.uri;
     path = url.replace(base, '');
     IF url.match(base) %]
-      <a target="_blank" href="[% m.uri.replace('_path_', path).replace('_1_', bi1.revision).replace('_2_', bi2.revision) %]">[% contents %]</a>
+      <a target="_blank" [% HTML.attributes(href => m.uri.replace('_path_', path).replace('_1_', bi1.revision).replace('_2_', bi2.revision)) %]>[% HTML.escape(contents) %]</a>
       [% nouri = 0;
     END;
   END;
@@ -347,13 +347,24 @@ BLOCK renderDiffUri;
     url = res.0;
     branch = res.1;
     IF bi1.type == "hg" || bi1.type == "git" %]
-      <a target="_blank" href="[% HTML.escape(c.uri_for('/api/scmdiff', {
-        uri = url,
-        rev1 = bi1.revision,
-        rev2 = bi2.revision,
-        type = bi1.type,
-        branch = branch
-      })) %]">[% contents %]</a>
+      [% IF url.substr(0, 19) == "https://github.com/";
+         github_url = url.replace('\.git$', '') %]
+        <a target="_blank" [% HTML.attributes(href =>
+          github_url
+          _ "/compare/"
+          _ bi1.revision
+          _ "..."
+          _ bi2.revision,
+        ) %]>[% HTML.escape(contents) %]</a>
+      [% ELSE %]
+        <a target="_blank" [% HTML.attributes(href => c.uri_for('/api/scmdiff', {
+          uri = url,
+          rev1 = bi1.revision,
+          rev2 = bi2.revision,
+          type = bi1.type,
+          branch = branch
+        })) %]>[% HTML.escape(contents) %]</a>
+      [% END %]
     [% ELSE;
       contents;
     END;
@@ -369,8 +380,8 @@ BLOCK renderInputs; %]
     <tbody>
       [% FOREACH input IN inputs %]
         <tr>
-          <td><tt>[% input.name %]</tt></td>
-          <td>[% type = input.type; inputTypes.$type %]</td>
+          <td><tt>[% input.name | html %]</tt></td>
+          <td>[% type = input.type; HTML.escape(inputTypes.$type) %]</td>
           <td>
             [% IF input.type == "build" || input.type == "sysbuild" %]
               [% INCLUDE renderFullBuildLink build=input.dependency %]
@@ -383,7 +394,7 @@ BLOCK renderInputs; %]
             [% END %]
           </td>
           <td>[% IF input.revision %][% HTML.escape(input.revision) %][% END %]</td>
-          <td><tt>[% input.path %]</tt></td>
+          <td><tt>[% input.path | html %]</tt></td>
         </tr>
       [% END %]
     </tbody>
@@ -407,33 +418,33 @@ BLOCK renderInputDiff; %]
           IF bi1.name == bi2.name;
             IF bi1.type == bi2.type;
               IF bi1.value != bi2.value || bi1.uri != bi2.uri %]
-                <tr><td><b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt></td></tr>
+                <tr><td><b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt></td></tr>
               [% ELSIF bi1.uri == bi2.uri && bi1.revision != bi2.revision %]
                 [% IF bi1.type == "git" %]
                   <tr><td>
-                    <b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision.substr(0, 12) _ ' to ' _ bi2.revision.substr(0, 12)) %]</tt>
+                    <b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.frontend_revision _ ' to ' _ bi2.frontend_revision) %]</tt>
                   </td></tr>
                 [% ELSE %]
                   <tr><td>
-                    <b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision _ ' to ' _ bi2.revision) %]</tt>
+                    <b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderDiffUri contents=(bi1.revision _ ' to ' _ bi2.revision) %]</tt>
                   </td></tr>
                 [% END %]
               [% ELSIF bi1.dependency.id != bi2.dependency.id || bi1.path != bi2.path %]
                 <tr><td>
-                  <b>[% bi1.name %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt>
+                  <b>[% HTML.escape(bi1.name) %]</b></td><td><tt>[% INCLUDE renderShortInputValue input=bi1 %]</tt> to <tt>[% INCLUDE renderShortInputValue input=bi2 %]</tt>
                   <br/>
                   <br/>
                   [% INCLUDE renderInputDiff inputs1=bi1.dependency.inputs inputs2=bi2.dependency.inputs nestedDiff=1 nestLevel=nestLevel+1 %]
                 </td></tr>
               [% END %]
             [% ELSE %]
-              <tr><td><b>[% bi1.name %]</b></td><td>Changed input type from '[% type = bi1.type; inputTypes.$type %]' to '[% type = bi2.type; inputTypes.$type %]'</td></tr>
+              <tr><td><b>[% HTML.escape(bi1.name) %]</b></td><td>Changed input type from '[% type = bi1.type; HTML.escape(inputTypes.$type) %]' to '[% type = bi2.type; HTML.escape(inputTypes.$type) %]'</td></tr>
             [% END;
             deletedInput = 0;
           END;
         END;
         IF deletedInput == 1 %]
-          <tr><td><b>[% bi1.name %]</b></td><td>Input not present in this build.</td></tr>
+          <tr><td><b>[% HTML.escape(bi1.name) %]</b></td><td>Input not present in this build.</td></tr>
         [% END;
       END;
     END %]
@@ -443,25 +454,19 @@ BLOCK renderInputDiff; %]
 
 BLOCK renderPager %]
   <ul class="pagination">
-    <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" href="[% "$baseUri?page=1" %]">&laquo; First</a></li>
-    <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" href="[% "$baseUri?page="; (page - 1) %]">&lsaquo; Previous</a></li>
-    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" href="[% "$baseUri?page="; (page + 1) %]">Next &rsaquo;</a></li>
-    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" href="[% "$baseUri?page="; (total - 1) div resultsPerPage + 1 %]">Last &raquo;</a></li>
+    <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=1") %]>&laquo; First</a></li>
+    <li class="page-item[% IF page == 1 %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=" _ (page - 1)) %]>&lsaquo; Previous</a></li>
+    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=" _ (page + 1)) %]>Next &rsaquo;</a></li>
+    <li class="page-item[% IF page * resultsPerPage >= total %] disabled[% END %]"><a class="page-link" [% HTML.attributes(href => "$baseUri?page=" _ ((total - 1) div resultsPerPage + 1)) %]>Last &raquo;</a></li>
   </ul>
 [% END;
 
 
 BLOCK renderShortEvalInput;
-  IF input.type == "svn" || input.type == "svn-checkout" || input.type == "bzr" || input.type == "bzr-checkout" %]
-    r[% input.revision %]
-  [% ELSIF input.type == "git" %]
-    <tt>[% input.revision.substr(0, 7) %]</tt>
-  [% ELSIF input.type == "hg" %]
-    <tt>[% input.revision.substr(0, 12) %]</tt>
-  [% ELSIF input.type == "build" || input.type == "sysbuild" %]
-    <a href="[% c.uri_for('/build' input.get_column('dependency')) %]">[% input.get_column('dependency') %]</a>
+  IF input.type == "build" || input.type == "sysbuild" %]
+    <a [% HTML.attributes(href => c.uri_for('/build' input.get_column('dependency'))) %]>[% HTML.escape(input.get_column('dependency')) %]</a>
   [% ELSE %]
-    <tt>[% input.revision %]</tt>
+    <tt>[% input.frontend_revision | html %]</tt>
   [% END;
 END;
 
@@ -498,7 +503,7 @@ BLOCK renderEvals %]
         eval = e.eval;
         link = c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id]) %]
         <tr>
-          <td><a class="row-link" href="[% link %]">[% eval.id %]</a></td>
+          <td><a class="row-link" [% HTML.attributes(href => link) %]>[% HTML.escape(eval.id) %]</a></td>
           [% IF !jobset && !build %]
             <td>[% INCLUDE renderFullJobsetName project=eval.jobset.project.name jobset=eval.jobset.name %]</td>
           [% END %]
@@ -507,7 +512,7 @@ BLOCK renderEvals %]
             [% IF e.changedInputs.size > 0;
               sep='';
               FOREACH input IN e.changedInputs;
-                sep; %] [% input.name %] → [% INCLUDE renderShortEvalInput input=input;
+                sep; %] [% HTML.escape(input.name) %] → [% INCLUDE renderShortEvalInput input=input;
                 sep=', ';
               END;
             ELSE %]
@@ -518,29 +523,29 @@ BLOCK renderEvals %]
             [% END %]
           </td>
           <td align='right' class="nowrap">
-            <span class="badge badge-success">[% e.nrSucceeded %]</span>
+            <span class="badge badge-success">[% HTML.escape(e.nrSucceeded) %]</span>
           </td>
           <td align="right" class="nowrap">
             [% IF e.nrFailed > 0 %]
-            <span class="badge badge-danger">[% e.nrFailed %]</span>
+            <span class="badge badge-danger">[% HTML.escape(e.nrFailed) %]</span>
             [% END %]
           </td>
           <td align="right" class="nowrap">
             [% IF e.nrScheduled > 0 %]
-            <span class="badge badge-secondary">[% e.nrScheduled %]</span>
+            <span class="badge badge-secondary">[% HTML.escape(e.nrScheduled) %]</span>
             [% END %]
           </td>
           <td align='right' class="nowrap">
             [% IF e.diff > 0 %]
-              <span class='badge badge-success'><strong>+[% e.diff %]</strong></span>
+              <span class='badge badge-success'><strong>+[% HTML.escape(e.diff) %]</strong></span>
             [% ELSIF e.diff < 0 && e.nrScheduled == 0 %]
-              <span class='badge badge-danger'><strong>[% e.diff %]</strong></span>
+              <span class='badge badge-danger'><strong>[% HTML.escape(e.diff) %]</strong></span>
             [% END %]
           </td>
         </tr>
       [% END;
       IF linkToAll %]
-        <tr><td class="centered" colspan="7"><a href="[% linkToAll %]"><em>More...</em></a></td></tr>
+        <tr><td class="centered" colspan="7"><a [% HTML.attributes(href => linkToAll) %]><em>More...</em></a></td></tr>
       [% END %]
     </tbody>
   </table>
@@ -548,19 +553,19 @@ BLOCK renderEvals %]
 
 
 BLOCK renderLogLinks %]
-(<a [% IF inRow %]class="row-link"[% END %] href="[% url %]">log</a>, <a href="[% "$url/raw" %]">raw</a>, <a href="[% "$url/tail" %]">tail</a>)
+(<a [% IF inRow %]class="row-link"[% END %] [% HTML.attributes(href => url) %]>log</a>, <a [% HTML.attributes(href => "$url/raw") %]>raw</a>, <a [% HTML.attributes(href => "$url/tail") %]>tail</a>)
 [% END;
 
 
 BLOCK makeLazyTab %]
-  <div id="[% tabName %]" class="tab-pane">
+  <div [% HTML.attributes(id => tabName) %] class="tab-pane">
     <center><span class="spinner-border spinner-border-sm"/></center>
   </div>
   <script>
     [% IF callback.defined %]
-    $(function() { makeLazyTab("[% tabName %]", "[% uri %]", [% callback %] ); });
+    $(function() { makeLazyTab("[% HTML.escape(tabName) %]", "[% uri %]", [% callback %] ); });
     [% ELSE %]
-    $(function() { makeLazyTab("[% tabName %]", "[% uri %]", null ); });
+    $(function() { makeLazyTab("[% HTML.escape(tabName) %]", "[% uri %]", null ); });
     [% END %]
   </script>
 [% END;
@@ -587,7 +592,7 @@ BLOCK navItem %]
   <li class="nav-item">
     <a class="nav-link[% IF "${root}${curUri}" == uri %] active[% END %]"
       [% HTML.attributes(href => uri) %]>
-      [% title %]
+      [% HTML.escape(title) %]
     </a>
   </li>
 [% END;
@@ -657,17 +662,17 @@ BLOCK renderJobsetOverview %]
         <td><span class="[% class %]">[% successrate FILTER format('%d') %]%</span></td>
         <td>
           [% IF j.get_column('nrsucceeded') > 0 %]
-            <span class="badge badge-success">[% j.get_column('nrsucceeded') %]</span>
+            <span class="badge badge-success">[% HTML.escape(j.get_column('nrsucceeded')) %]</span>
           [% END %]
         </td>
         <td>
           [% IF j.get_column('nrfailed') > 0 %]
-            <span class="badge badge-danger">[% j.get_column('nrfailed') %]</span>
+            <span class="badge badge-danger">[% HTML.escape(j.get_column('nrfailed')) %]</span>
           [% END %]
         </td>
         <td>
           [% IF j.get_column('nrscheduled') > 0 %]
-            <span class="badge badge-secondary">[% j.get_column('nrscheduled') %]</span>
+            <span class="badge badge-secondary">[% HTML.escape(j.get_column('nrscheduled')) %]</span>
           [% END %]
         </td>
       </tr>
@@ -695,12 +700,12 @@ BLOCK renderYesNo %]
 
 BLOCK createChart %]
 
-  <div id="[%id%]-chart" style="width: 1000px; height: 400px;"></div>
-  <div id="[%id%]-overview" style="margin-top: 20px; margin-left: 50px; margin-right: 50px; width: 900px; height: 100px"></div>
+  <div id="[% id %]-chart" style="width: 1000px; height: 400px;"></div>
+  <div id="[% id %]-overview" style="margin-top: 20px; margin-left: 50px; margin-right: 50px; width: 900px; height: 100px"></div>
 
   <script type="text/javascript">
     $(function() {
-      showChart("[%id%]", "[%dataUrl%]", "[%yaxis%]");
+      showChart("[% HTML.escape(id) %]", "[% dataUrl %]", "[% yaxis %]");
     });
   </script>
 

src/root/dashboard-my-jobs-tab.tt

@@ -9,7 +9,7 @@
 
 [% ELSE %]
 
-  <p>Below are the most recent builds of the [% builds.size %] jobs of which you
+  <p>Below are the most recent builds of the [% HTML.escape(builds.size) %] jobs of which you
   (<tt>[% HTML.escape(user.emailaddress) %]</tt>) are a maintainer.</p>
 
   [% INCLUDE renderBuildList %]

src/root/dashboard.tt

@@ -24,7 +24,7 @@
             <tr>
               <td><span class="[% IF !jobExists(j.job.jobset j.job.job) %]disabled-job[% END %]">[% INCLUDE renderFullJobName project=j.job.get_column('project') jobset=j.job.get_column('jobset') job=j.job.job %]</span></td>
               [% FOREACH b IN j.builds %]
-                <td><a href="[% c.uri_for('/build' b.id) %]">[% INCLUDE renderBuildStatusIcon size=16 build=b %]</a></td>
+                <td><a [% HTML.attributes(href => c.uri_for('/build' b.id)) %]>[% INCLUDE renderBuildStatusIcon size=16 build=b %]</a></td>
               [% END %]
             </tr>
           [% END %]

src/root/deps.tt

@@ -3,20 +3,20 @@
 [% BLOCK renderNode %]
   <li>
     [% IF done.${node.path} %]
-      <tt>[% node.name %]</tt> (<a href="#[% done.${node.path} %]"><em>repeated</em></a>)
+      <tt>[% node.name | html %]</tt> (<a [% HTML.attributes(href => "#" _ done.${node.path}) %]><em>repeated</em></a>)
     [% ELSE %]
       [% done.${node.path} = global.nodeId; global.nodeId = global.nodeId + 1; %]
       [% IF node.refs.size > 0 %]
         <a href="javascript:" class="tree-toggle"></a>
       [% END %]
-      <span id="[% done.${node.path} %]"><span class="dep-tree-line">
+      <span [% HTML.attributes(id => done.${node.path}) %]><span class="dep-tree-line">
         [% IF node.buildStep %]
-          <a href="[% c.uri_for('/build' node.buildStep.get_column('build')) %]"><tt>[% node.name %]</tt></a> [%
+          <a [% HTML.attributes(href => c.uri_for('/build' node.buildStep.get_column('build'))) %]><tt>[% node.name %]</tt></a> [%
             IF buildStepLogExists(node.buildStep);
               INCLUDE renderLogLinks url=c.uri_for('/build' node.buildStep.get_column('build') 'nixlog' node.buildStep.stepnr);
             END %]
         [% ELSE %]
-          <tt>[% node.name %]</tt> (<em>no info</em>)
+          <tt>[% node.name | html %]</tt> (<em>no info</em>)
         [% END %]
       </span></span>
       [% IF isRoot %]

src/root/edit-jobset.tt

@@ -7,17 +7,17 @@
 [% USE format %]
 
 [% BLOCK renderJobsetInput %]
-  <tr class="input [% extraClass %]" [% IF id %]id="[% id %]"[% END %]>
+  <tr class="input [% extraClass %]" [% IF id %][% HTML.attributes(id => id) %][% END %]>
     <td>
       <button type="button" class="btn btn-warning" onclick='$(this).parents(".input").remove()'><i class="fas fa-trash"></i></button>
     </td>
     <td>
-      <input type="text" id="[% baseName %]-name" name="[% baseName %]-name" [% HTML.attributes(value => input.name) %]/>
+      <input type="text" [% HTML.attributes(id => baseName _ "-name", name => baseName _ "-name", value => input.name) %] />
     </td>
     <td>
       [% INCLUDE renderSelection curValue=input.type param="$baseName-type" options=inputTypes edit=1 %]
     </td>
-    <td id="[% baseName %]">
+    <td [% HTML.attributes(id => baseName) %]>
       [% IF createFromEval %]
         [% value = (input.uri or input.value); IF input.revision; value = value _ " " _ input.revision; END;
            warn = input.altnr != 0;
@@ -36,7 +36,7 @@
       <input style="width: 95%" type="text" [% HTML.attributes(value => value, id => "$baseName-value", name => "$baseName-value") %]/>
     </td>
     <td>
-      <input type="checkbox" id="[% baseName %]-emailresponsible" name="[% baseName %]-emailresponsible" [% IF input.emailresponsible; 'checked="checked"'; END %]/>
+      <input type="checkbox" [% HTML.attributes(id => "$baseName-emailresponsible", name => "$baseName-emailresponsible") %] [% IF input.emailresponsible; 'checked="checked"'; END %]/>
     </td>
   </tr>
 [% END %]
@@ -149,7 +149,7 @@
     <label class="col-sm-3" for="editjobsetschedulingshares">
       Scheduling shares
       [% IF totalShares %]
-        <small class="form-text text-muted">([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% totalShares %] shares)</small>
+        <small class="form-text text-muted">([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% HTML.escape(totalShares) %] shares)</small>
       [% END %]
     </label>
     <div class="col-sm-9">
@@ -195,7 +195,7 @@
 
   [% INCLUDE renderJobsetInputs %]
 
-  <button id="submit-jobset" type="submit" class="btn btn-primary"><i class="fas fa-check"></i> [%IF !edit %]Create jobset[% ELSE %]Apply changes[% END %]</button>
+  <button id="submit-jobset" type="submit" class="btn btn-primary"><i class="fas fa-check"></i> [% IF !edit %]Create jobset[% ELSE %]Apply changes[% END %]</button>
 
   <table style="display: none">
     [% INCLUDE renderJobsetInput input="" extraClass="template" id="input-template" baseName="input-template" %]

src/root/edit-project.tt

@@ -86,7 +86,7 @@
 
   <button id="submit-project" type="submit" class="btn btn-primary">
     <i class="fas fa-check"></i>
-    [%IF create %]Create project[% ELSE %]Apply changes[% END %]
+    [% IF create %]Create project[% ELSE %]Apply changes[% END %]
   </button>
 
 </form>

src/root/evals.tt

@@ -10,7 +10,7 @@
 [% PROCESS common.tt %]
 
 <p>Showing evaluations [% (page - 1) * resultsPerPage + 1 %] - [%
-(page - 1) * resultsPerPage + evals.size %] out of [% total %].</p>
+(page - 1) * resultsPerPage + evals.size %] out of [% HTML.escape(total) %].</p>
 
 [% INCLUDE renderEvals %]
 

src/root/job-metrics-tab.tt

@@ -16,7 +16,7 @@
 
   [% FOREACH metric IN metrics %]
 
-    <h3>Metric: <a [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'metric' metric.name)) %]><tt>[%HTML.escape(metric.name)%]</tt></a></h3>
+    <h3>Metric: <a [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'metric' metric.name)) %]><tt>[% HTML.escape(metric.name) %]</tt></a></h3>
 
     [% id = metricDivId(metric.name);
        INCLUDE createChart dataUrl=c.uri_for('/job' project.name jobset.name job 'metric' metric.name); %]

src/root/job.tt

@@ -9,9 +9,9 @@
 [% INCLUDE includeFlot %]
 
 [% IF !jobExists(jobset, job) %]
-<div class="alert alert-warning">This job is not a member of the <a
-href="[%c.uri_for('/jobset' project.name jobset.name
-'evals')%]">latest evaluation</a> of its jobset. This means it was
+<div class="alert alert-warning">This job is not a member of the
+<a [% HTML.attributes(href => c.uri_for('/jobset' project.name jobset.name
+'evals')) %]>latest evaluation</a> of its jobset. This means it was
 removed or had an evaluation error.</div>
 [% END %]
 
@@ -46,7 +46,7 @@ removed or had an evaluation error.</div>
       its success or failure is determined entirely by the result of
       building its <em>constituent jobs</em>. The table below shows
       the status of each constituent job for the [%
-      aggregates.keys.size %] most recent builds of the
+      HTML.escape(aggregates.keys.size) %] most recent builds of the
       aggregate.</div>
 
       [% aggs = aggregates.keys.nsort.reverse %]
@@ -58,7 +58,7 @@ removed or had an evaluation error.</div>
               <th class="rotate-45">
                 [% agg_ = aggregates.$agg %]
                 <div><span class="[% agg_.build.finished == 0 ? "text-info" : (agg_.build.buildstatus == 0 ? "text-success" : "text-warning") %] override-link">
-                  <a href="[% c.uri_for('/build' agg) %]">[% agg %]</a>
+                  <a [% HTML.attributes(href => c.uri_for('/build' agg)) %]>[% agg %]</a>
                 </span></div></th>
             [% END %]
           </tr>
@@ -70,7 +70,7 @@ removed or had an evaluation error.</div>
               [% FOREACH agg IN aggs %]
                 <td>
                   [% r = aggregates.$agg.constituents.$j; IF r.id %]
-                    <a href="[% c.uri_for('/build' r.id) %]">
+                    <a [% HTML.attributes(href => c.uri_for('/build' r.id)) %]>
                       [% INCLUDE renderBuildStatusIcon size=16 build=r %]
                     </a>
                   [% END %]
@@ -89,8 +89,8 @@ removed or had an evaluation error.</div>
 
   <div id="tabs-links" class="tab-pane">
     <ul>
-      <li><a href="[% c.uri_for('/job' project.name jobset.name job 'latest') %]">Latest successful build</a></li>
-      <li><a href="[% c.uri_for('/job' project.name jobset.name job 'latest-finished') %]">Latest successful build from a finished evaluation</a></li>
+      <li><a [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'latest')) %]>Latest successful build</a></li>
+      <li><a [% HTML.attributes(href => c.uri_for('/job' project.name jobset.name job 'latest-finished')) %]>Latest successful build from a finished evaluation</a></li>
     </ul>
   </div>
 

src/root/jobset-channels-tab.tt

@@ -14,7 +14,7 @@
         [% FOREACH eval IN evalIds %]
           <th class="rotate-45">
             <div><span>
-              <a href="[% c.uri_for('/eval' eval) %]">[% INCLUDE renderRelativeDate timestamp=evals.$eval.timestamp %]</a>
+              <a [% HTML.attributes(href => c.uri_for('/eval' eval)) %]>[% INCLUDE renderRelativeDate timestamp=evals.$eval.timestamp %]</a>
             </span></div></th>
         [% END %]
       </tr>
@@ -22,9 +22,9 @@
     <tbody>
       [% FOREACH chan IN channels-%]
         <tr>
-          <th><span><a href="[% c.uri_for('/channel/custom' project.name jobset.name chan) %]">[% chan %]</a></span></th>
+          <th><span><a [% HTML.attributes(href => c.uri_for('/channel/custom' project.name jobset.name chan)) %]>[% HTML.escape(chan) %]</a></span></th>
           [% FOREACH eval IN evalIds %]
-            <td>[% r = evals.$eval.builds.$chan; IF r.id %]<a href="[% c.uri_for('/build' r.id) %]">[% INCLUDE renderBuildStatusIcon size=16 build=r %]</a>[% END %]</td>
+            <td>[% r = evals.$eval.builds.$chan; IF r.id %]<a [% HTML.attributes(href => c.uri_for('/build' r.id)) %]>[% INCLUDE renderBuildStatusIcon size=16 build=r %]</a>[% END %]</td>
           [% END %]
         </tr>
       [% END %]

src/root/jobset-eval.tt

@@ -13,23 +13,23 @@
     <a class="dropdown-item" href="?compare=-[% 31 * 24 * 60 * 60 %]&full=[% full ? 1 : 0 %]">This jobset <strong>one month</strong> earlier</a>
     [% IF project.jobsets_rs.count > 1 %]
       <div class="dropdown-divider"></div>
-      [% FOREACH j IN project.jobsets.sort('name'); IF j.name != jobset.name %]
-        <a class="dropdown-item" href="?compare=[% j.name %]&full=[% full ? 1 : 0 %]">Jobset <tt>[% project.name %]:[% j.name %]</tt></a>
+      [% FOREACH j IN project.jobsets.sort('name'); IF j.name != jobset.name && j.enabled == 1 %]
+        <a class="dropdown-item" href="?compare=[% j.name | uri %]&full=[% full ? 1 : 0 %]">Jobset <tt>[% project.name | html %]:[% j.name | html %]</tt></a>
       [% END; END %]
     [% END %]
   </div>
 </div>
 
 <p>This evaluation was performed [% IF eval.flake %]from the flake
-<tt>[%HTML.escape(eval.flake)%]</tt>[%END%] on [% INCLUDE renderDateTime
+<tt>[% HTML.escape(eval.flake) %]</tt>[% END %] on [% INCLUDE renderDateTime
 timestamp=eval.timestamp %]. Fetching the dependencies took [%
-eval.checkouttime %]s and evaluation took [% eval.evaltime %]s.</p>
+eval.checkouttime %]s and evaluation took [% HTML.escape(eval.evaltime) %]s.</p>
 
 [% IF otherEval %]
 <p>Comparisons are relative to [% INCLUDE renderFullJobsetName
-project=otherEval.jobset.project.name jobset=otherEval.jobset.name %] evaluation <a href="[%
-c.uri_for(c.controller('JobsetEval').action_for('view'),
-[otherEval.id]) %]">[% otherEval.id %]</a>.</p>
+project=otherEval.jobset.project.name jobset=otherEval.jobset.name %] evaluation <a [%
+HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'),
+[otherEval.id])) %]>[% HTML.escape(otherEval.id) %]</a>.</p>
 [% END %]
 
 <form>
@@ -45,46 +45,46 @@ c.uri_for(c.controller('JobsetEval').action_for('view'),
     <li class="nav-item dropdown">
       <a class="nav-link dropdown-toggle" data-toggle="dropdown" href="#">Actions</a>
       <div class="dropdown-menu">
-        <a class="dropdown-item" href="[% c.uri_for(c.controller('JobsetEval').action_for('create_jobset'), [eval.id]) %]">Create a jobset from this evaluation</a>
+        <a class="dropdown-item" [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('create_jobset'), [eval.id])) %]>Create a jobset from this evaluation</a>
         [% IF totalQueued > 0 %]
-          <a class="dropdown-item" href="[% c.uri_for(c.controller('JobsetEval').action_for('cancel'), [eval.id]) %]">Cancel all scheduled builds</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('cancel'), [eval.id])) %]>Cancel all scheduled builds</a>
         [% END %]
         [% IF totalFailed > 0 %]
-          <a class="dropdown-item" href="[% c.uri_for(c.controller('JobsetEval').action_for('restart_failed'), [eval.id]) %]">Restart all failed builds</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('restart_failed'), [eval.id])) %]>Restart all failed builds</a>
         [% END %]
         [% IF totalAborted > 0 %]
-          <a class="dropdown-item" href="[% c.uri_for(c.controller('JobsetEval').action_for('restart_aborted'), [eval.id]) %]">Restart all aborted builds</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('restart_aborted'), [eval.id])) %]>Restart all aborted builds</a>
         [% END %]
         [% IF totalQueued > 0 %]
-          <a class="dropdown-item" href="[% c.uri_for(c.controller('JobsetEval').action_for('bump'), [eval.id]) %]">Bump builds to front of queue</a>
+          <a class="dropdown-item" [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('bump'), [eval.id])) %]>Bump builds to front of queue</a>
         [% END %]
       </div>
     </li>
   [% END %]
 
   [% IF aborted.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-aborted" data-toggle="tab"><span class="text-warning">Aborted / Timed out Jobs ([% aborted.size %])</span></a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-aborted" data-toggle="tab"><span class="text-warning">Aborted / Timed out Jobs ([% HTML.escape(aborted.size) %])</span></a></li>
   [% END %]
   [% IF nowFail.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-now-fail" data-toggle="tab"><span class="text-warning">Newly Failing Jobs ([% nowFail.size %])</span></a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-now-fail" data-toggle="tab"><span class="text-warning">Newly Failing Jobs ([% HTML.escape(nowFail.size) %])</span></a></li>
   [% END %]
   [% IF nowSucceed.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-now-succeed" data-toggle="tab"><span class="text-success">Newly Succeeding Jobs ([% nowSucceed.size %])</span></a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-now-succeed" data-toggle="tab"><span class="text-success">Newly Succeeding Jobs ([% HTML.escape(nowSucceed.size) %])</span></a></li>
   [% END %]
   [% IF new.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-new" data-toggle="tab">New Jobs ([% new.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-new" data-toggle="tab">New Jobs ([% HTML.escape(new.size) %])</a></li>
   [% END %]
   [% IF removed.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-removed" data-toggle="tab">Removed Jobs ([% removed.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-removed" data-toggle="tab">Removed Jobs ([% HTML.escape(removed.size) %])</a></li>
   [% END %]
   [% IF stillFail.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-still-fail" data-toggle="tab">Still Failing Jobs ([% stillFail.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-still-fail" data-toggle="tab">Still Failing Jobs ([% HTML.escape(stillFail.size) %])</a></li>
   [% END %]
   [% IF stillSucceed.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-still-succeed" data-toggle="tab">Still Succeeding Jobs ([% stillSucceed.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-still-succeed" data-toggle="tab">Still Succeeding Jobs ([% HTML.escape(stillSucceed.size) %])</a></li>
   [% END %]
   [% IF unfinished.size > 0 %]
-    <li class="nav-item"><a class="nav-link" href="#tabs-unfinished" data-toggle="tab">Queued Jobs ([% unfinished.size %])</a></li>
+    <li class="nav-item"><a class="nav-link" href="#tabs-unfinished" data-toggle="tab">Queued Jobs ([% HTML.escape(unfinished.size) %])</a></li>
   [% END %]
   <li class="nav-item"><a class="nav-link" href="#tabs-inputs" data-toggle="tab">Inputs</a></li>
 
@@ -99,7 +99,7 @@ c.uri_for(c.controller('JobsetEval').action_for('view'),
   [% INCLUDE renderBuildListBody builds=builds.slice(0, (size > max ? max : size) - 1)
        hideProjectName=1 hideJobsetName=1 busy=0 %]
   [% IF size > max; params = c.req.params; params.full = 1 %]
-  <tr><td class="centered" colspan="6"><a href="[% c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id], params) %][% tabname %]"><em>([% size - max %] more builds omitted)</em></a></td></tr>
+  <tr><td class="centered" colspan="6"><a [% HTML.attributes(href => c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id], params) _ tabname) %]><em>([% size - max %] more builds omitted)</em></a></td></tr>
   [% END %]
   [% INCLUDE renderBuildListFooter %]
 [% END %]
@@ -132,11 +132,11 @@ c.uri_for(c.controller('JobsetEval').action_for('view'),
         [% FOREACH j IN removed.slice(0,(size > max ? max : size) - 1) %]
           <tr>
             <td>[% INCLUDE renderJobName project=project.name jobset=jobset.name job=j.job %]</td>
-            <td><tt>[% j.system %]</tt></td>
+            <td><tt>[% j.system | html %]</tt></td>
           </tr>
         [% END %]
         [% IF size > max; params = c.req.params; params.full = 1 %]
-          <tr><td class="centered" colspan="2"><a href="[% c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id], params) %]#tabs-removed"><em>([% size - max %] more jobs omitted)</em></a></td></tr>
+          <tr><td class="centered" colspan="2"><a [% HTML.attributes(c.uri_for(c.controller('JobsetEval').action_for('view'), [eval.id], params) _ "#tabs-removed") %]><em>([% size - max %] more jobs omitted)</em></a></td></tr>
         [% END %]
       </tbody>
     </table>

src/root/jobset-jobs-tab.tt

@@ -41,7 +41,7 @@
 [% ELSE %]
 
   [% IF nrJobs > jobs.size %]
-    <div class="alert alert-info">Showing the first [% jobs.size %] jobs.  <a href="javascript:setFilter('filter=%')">Show all [% nrJobs %] jobs...</a></div>
+    <div class="alert alert-info">Showing the first [% HTML.escape(jobs.size) %] jobs.  <a href="javascript:setFilter('filter=%')">Show all [% HTML.escape(nrJobs) %] jobs...</a></div>
   [% END %]
 
   [% evalIds = evals.keys.nsort.reverse %]
@@ -52,7 +52,7 @@
         [% FOREACH eval IN evalIds %]
           <th class="rotate-45">
             <div><span>
-              <a href="[% c.uri_for('/eval' eval) %]">[% INCLUDE renderRelativeDate timestamp=evals.$eval.timestamp %]</a>
+              <a [% HTML.attributes(href => c.uri_for('/eval' eval)) %]>[% INCLUDE renderRelativeDate timestamp=evals.$eval.timestamp %]</a>
             </span></div></th>
         [% END %]
       </tr>
@@ -62,7 +62,7 @@
         <tr>
           <th><span [% IF inactiveJobs.$j %]class="muted override-link"[% END %]>[% INCLUDE renderJobName project=project.name jobset=jobset.name job=j %]</span></th>
           [% FOREACH eval IN evalIds %]
-            <td>[% r = evals.$eval.builds.$j; IF r.id %]<a href="[% c.uri_for('/build' r.id) %]">[% INCLUDE renderBuildStatusIcon size=16 build=r %]</a>[% END %]</td>
+            <td>[% r = evals.$eval.builds.$j; IF r.id %]<a [% HTML.attributes(href => c.uri_for('/build' r.id)) %]>[% INCLUDE renderBuildStatusIcon size=16 build=r %]</a>[% END %]</td>
           [% END %]
         </tr>
       [% END %]

src/root/jobset.tt

@@ -6,14 +6,14 @@
 
 
 [% BLOCK renderJobsetInput %]
-  <tr class="input [% extraClass %]" [% IF id %]id="[% id %]"[% END %]>
+  <tr class="input [% extraClass %]" [% IF id %][% HTML.attributes(id => id) %][% END %]>
     <td>
       <tt>[% HTML.escape(input.name) %]</tt>
     </td>
     <td>
       [% INCLUDE renderSelection curValue=input.type param="$baseName-type" options=inputTypes %]
     </td>
-    <td class="inputalts" id="[% baseName %]">
+    <td class="inputalts" [% HTML.attributes(id => baseName) %]>
       [% FOREACH alt IN input.search_related('jobsetinputalts', {}, { order_by => 'altnr' }) %]
         <tt class="inputalt">
           [% IF input.type == "string" %]
@@ -153,11 +153,11 @@
       [% END %]
       <tr>
         <th>Check interval:</th>
-        <td>[% jobset.checkinterval || "<em>disabled</em>"  %]</td>
+        <td>[% HTML.escape(jobset.checkinterval) || "<em>disabled</em>"  %]</td>
       </tr>
       <tr>
         <th>Scheduling shares:</th>
-        <td>[% jobset.schedulingshares %] [% IF totalShares %] ([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% totalShares %] shares)[% END %]</td>
+        <td>[% HTML.escape(jobset.schedulingshares) %] [% IF totalShares %] ([% f = format("%.2f"); f(jobset.schedulingshares / totalShares * 100) %]% out of [% HTML.escape(totalShares) %] shares)[% END %]</td>
       </tr>
       <tr>
         <th>Enable Dynamic RunCommand Hooks:</th>
@@ -175,7 +175,7 @@
       [% END %]
       <tr>
         <th>Number of evaluations to keep:</th>
-        <td>[% jobset.keepnr %]</td>
+        <td>[% HTML.escape(jobset.keepnr) %]</td>
       </tr>
     </table>
 
@@ -188,7 +188,7 @@
 
   <div id="tabs-links" class="tab-pane">
     <ul>
-      <li><a href="[% c.uri_for(c.controller('Jobset').action_for('latest_eval'), c.req.captures) %]">Latest finished evaluation</a></li>
+      <li><a [% HTML.attributes(href => c.uri_for(c.controller('Jobset').action_for('latest_eval'), c.req.captures)) %]>Latest finished evaluation</a></li>
     </ul>
   </div>
 

src/root/layout.tt

@@ -24,7 +24,7 @@
 
     <nav class="navbar navbar-expand-md navbar-light bg-light">
       <div class="container">
-        <a class="navbar-brand" href="[% c.uri_for(c.controller('Root').action_for('index')) %]">
+        <a class="navbar-brand" [% HTML.attributes(href => c.uri_for(c.controller('Root').action_for('index'))) %]>
           [% IF logo == "" %]
             Hydra
           [% ELSE %]

src/root/log.tt

@@ -11,14 +11,14 @@
   [% ELSE %]
   is
   [% END %]
-  the build log (<a href="[% step ? c.uri_for('/build' build.id 'nixlog' step.stepnr, 'raw')
-  : c.uri_for('/build' build.id 'log', 'raw') %]">raw</a>) of derivation <tt>[% IF step; step.drvpath; ELSE; build.drvpath; END %]</tt>.
+  the build log (<a [% HTML.attributes(href => step ? c.uri_for('/build' build.id 'nixlog' step.stepnr, 'raw')
+  : c.uri_for('/build' build.id 'log', 'raw')) %]>raw</a>) of derivation <tt>[% IF step; step.drvpath; ELSE; build.drvpath; END %]</tt>.
   [% IF step && step.machine %]
-    It was built on <tt>[% step.machine %]</tt>.
+    It was built on <tt>[% step.machine | html %]</tt>.
   [% END %]
   [% IF tail %]
-  The <a href="[% step ? c.uri_for('/build' build.id 'nixlog' step.stepnr)
-  : c.uri_for('/build' build.id 'log') %]">full log</a> is also available.
+  The <a [% HTML.attributes(href => step ? c.uri_for('/build' build.id 'nixlog' step.stepnr)
+  : c.uri_for('/build' build.id 'log')) %]>full log</a> is also available.
   [% END %]
 </p>
 
@@ -37,7 +37,7 @@
         [% IF tail %]
         /* The server may give us a full log (e.g. if the log is in
            S3). So extract the last lines. */
-        log_data = log_data.split("\n").slice(-[%tail%]).join("\n");
+        log_data = log_data.split("\n").slice(-[% HTML.escape(tail) %]).join("\n");
         [% END %]
 
         $("#contents").text(log_data);

src/root/machine-status.tt

@@ -21,22 +21,22 @@
           <tt [% IF m.value.disabled %]style="text-decoration: line-through;"[% END %]>[% INCLUDE renderMachineName machine=m.key %]</tt>
           [% IF m.value.primarySystemType %]
             <span class="muted" style="font-weight: normal;">
-              (<tt>[% m.value.primarySystemType %]</tt>)
+              (<tt>[% m.value.primarySystemType | html %]</tt>)
             </span>
             &nbsp;
             [% WRAPPER makePopover title="Details" classes="btn-secondary btn-sm" %]
               <ul class="list-unstyled mb-0">
-                <li><b>System types:&nbsp;</b>[% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system %]</tt>[% END %]</li>
-                <li><b>Supported Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.supportedFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat %]</tt>[% END %]</li>
-                <li><b>Mandatory Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.mandatoryFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat %]</tt>[% END %]</li>
+                <li><b>System types:&nbsp;</b>[% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system | html%]</tt>[% END %]</li>
+                <li><b>Supported Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.supportedFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat| html %]</tt>[% END %]</li>
+                <li><b>Mandatory Features:&nbsp;</b>[% comma=0; FOREACH feat IN m.value.mandatoryFeatures %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% feat| html %]</tt>[% END %]</li>
                 <li><b>Capacity:&nbsp;</b>[% INCLUDE renderYesNo value=m.value.hasCapacity %]&nbsp;<b>Static:&nbsp;</b>[% INCLUDE renderYesNo value=m.value.hasStaticCapacity %]&nbsp;<b>Dynamic:&nbsp;</b>[% INCLUDE renderYesNo value=m.value.hasDynamicCapacity %]</li>
-                <li><b>Scheduling Score:&nbsp;</b>[% m.value.score %]</li>
-                <li><b>Load:&nbsp;</b><tt>[% pretty_load(m.value.stats.load1) %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load5) %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load15) %]</tt></li>
-                <li><b>Memory:&nbsp;</b><tt>[% human_bytes(m.value.stats.memUsage) %]</tt> of <tt>[% human_bytes(m.value.memTotal) %]</tt> used (<tt>[% human_bytes(m.value.memTotal - m.value.stats.memUsage) %]</tt> free)</li>
+                <li><b>Scheduling Score:&nbsp;</b>[% HTML.escape(m.value.score) %]</li>
+                <li><b>Load:&nbsp;</b><tt>[% pretty_load(m.value.stats.load1) | html %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load5) | html %]</tt>&nbsp;&nbsp;&nbsp;<tt>[% pretty_load(m.value.stats.load15) | html %]</tt></li>
+                <li><b>Memory:&nbsp;</b><tt>[% human_bytes(m.value.stats.memUsage) | html %]</tt> of <tt>[% human_bytes(m.value.memTotal) | html %]</tt> used (<tt>[% human_bytes(m.value.memTotal - m.value.stats.memUsage) | html %]</tt> free)</li>
                 [% pressure = m.value.stats.pressure %]
                 [% MACRO render_pressure(title, pressure) BLOCK %]
                     [% IF pressure %]
-                        <tr><td><b>[% title %]:</b></td><td><tt>[% pretty_percent(pressure.avg10) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg60) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg300) %]%</tt></td><td>
+                        <tr><td><b>[% HTML.escape(title) %]:</b></td><td><tt>[% pretty_percent(pressure.avg10) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg60) %]%</tt></td><td><td><tt>[% pretty_percent(pressure.avg300) %]%</tt></td><td>
                     [% END %]
                 [% END %]
                 [% IF pressure %]
@@ -56,7 +56,7 @@
           [% ELSE %]
             [% IF m.value.systemTypes %]
               <span class="muted" style="font-weight: normal;">
-                ([% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system %]</tt>[% END %])
+                ([% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END %]<tt>[% system | html %]</tt>[% END %])
               </span>
             [% END %]
           [% END %]
@@ -76,9 +76,9 @@
           [% idle = 0 %]
           <tr>
             <td><tt>[% INCLUDE renderFullJobName project=step.project jobset=step.jobset job=step.job %]</tt></td>
-            <td><a href="[% c.uri_for('/build' step.build) %]">[% step.build %]</a></td>
-            <td>[% IF step.busy >= 30 %]<a class="row-link" href="[% c.uri_for('/build' step.build 'nixlog' step.stepnr 'tail') %]">[% step.stepnr %]</a>[% ELSE; step.stepnr; END %]</td>
-            <td><tt>[% step.drvpath.match('-(.*)').0 %]</tt></td>
+            <td><a [% HTML.attributes(href => c.uri_for('/build' step.build)) %]>[% HTML.escape(step.build) %]</a></td>
+            <td>[% IF step.busy >= 30 %]<a class="row-link" [% HTML.attributes(href => c.uri_for('/build' step.build 'nixlog' step.stepnr 'tail')) %]>[% HTML.escape(step.stepnr) %]</a>[% ELSE; HTML.escape(step.stepnr); END %]</td>
+            <td><tt>[% step.drvpath.match('-(.*)').0 | html %]</tt></td>
             <td>[% INCLUDE renderBusyStatus %]</td>
             <td style="width: 10em">[% INCLUDE renderDuration duration = curTime - step.starttime %] </td>
           </tr>

src/root/machines.tt

@@ -15,11 +15,11 @@
         [% FOREACH m IN machines %]
         <tr>
             <td><input type="checkbox" name="enabled" [% IF m.value.maxJobs > 0  %]CHECKED[% END %] disabled="true" /></td>
-            <td>[% m.key %]</a></td>
-            <td>[% m.value.maxJobs %]</td>
-            <td>[% m.value.speedFactor %]</td>
+            <td>[% HTML.escape(m.key) %]</a></td>
+            <td>[% HTML.escape(m.value.maxJobs) %]</td>
+            <td>[% HTML.escape(m.value.speedFactor) %]</td>
             <td>
-                [% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END; system; END %]
+                [% comma=0; FOREACH system IN m.value.systemTypes %][% IF comma; %], [% ELSE; comma = 1; END; HTML.escape(system); END %]
             </td>
         </tr>
         [% END %]

src/root/overview.tt

@@ -6,7 +6,7 @@
     [% FOREACH i IN newsItems %]
       <div class="news-item">
         [% contents = String.new(i.contents) %]
-        <h4 class="alert-heading">[% INCLUDE renderDateTime timestamp=i.createtime %] by [% i.author.fullname %]</h4>
+        <h4 class="alert-heading">[% INCLUDE renderDateTime timestamp=i.createtime %] by [% HTML.escape(i.author.fullname) %]</h4>
         [% contents.replace('\n','<br />\n') %]
       </div>
     [% END %]
@@ -65,7 +65,7 @@
 [% ELSE %]
 
   <div class="alert alert-warning">Hydra has no projects yet. Please
-  <a href="[% c.uri_for(c.controller('Project').action_for('create')) %]">create a project</a>.</div>
+  <a [% HTML.attributes(href => c.uri_for(c.controller('Project').action_for('create'))) %]>create a project</a>.</div>
 
 [% END %]
 

src/root/product-list.tt

@@ -1,17 +1,17 @@
 [% BLOCK renderProductLinks %]
   <tr>
     <th>URL:</th>
-    <td><a href="[% uri %]"><tt>[% uri %]</tt></a></td>
+    <td><a [% HTML.attributes(href => uri) %]><tt>[% uri | html %]</tt></a></td>
   </tr>
   [% IF latestRoot %]
   <tr>
     <th>Links to latest:</th>
     <td>
       [% uri2 = "${c.uri_for(latestRoot.join('/') 'download-by-type' product.type product.subtype)}" %]
-      <a href="[% uri2 %]"><tt>[% uri2 %]</tt></a>
+      <a [% HTML.attributes(href => uri2) %]><tt>[% uri2 | html %]</tt></a>
       <br />
       [% uri2 = "${c.uri_for(latestRoot.join('/') 'download' product.productnr)}" %]
-      <a href="[% uri2 %]"><tt>[% uri2 %]</tt></a>
+      <a [% HTML.attributes(href => uri2) %]><tt>[% uri2 | html %]</tt></a>
     </td>
   </tr>
   [% END %]
@@ -49,7 +49,7 @@
               Error
             </td>
             <td>
-              <a href="[% contents %]">
+              <a [% HTML.attributes(href => contents) %]>
                 Failed build produced output. Click here to inspect the output.
               </a>
             </td>
@@ -58,9 +58,9 @@
                <p>If you have Nix installed on your machine, this failed build output and
                all its dependencies can be unpacked into your local Nix store by doing:</p>
 
-               <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% uri %] | gunzip | nix-store --import</code></div></div>
+               <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% HTML.escape(uri) %] | gunzip | nix-store --import</code></div></div>
 
-               <p>The build output can then be found in the path <tt>[% product.path %]</tt>.</p>
+               <p>The build output can then be found in the path <tt>[% product.path | html %]</tt>.</p>
              [% END %]
             </td>
           </tr>
@@ -74,17 +74,17 @@
               Nix package
             </td>
             <td>
-              <tt>[% HTML.escape(build.nixname) %]</tt>
+              <tt>[% build.nixname | html %]</tt>
             </td>
             <td>
               [% WRAPPER makePopover title="Help" classes="btn-secondary btn-sm"
               %] <p>You can install this package using the Nix package
               manager from the command-line:</p>
 
-                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [%HTML.escape(product.path)%][% IF binaryCachePublicUri %] --option binary-caches [% HTML.escape(binaryCachePublicUri) %][% END %]</code></div></div>
+                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [% HTML.escape(product.path) %][% IF binaryCachePublicUri %] --option binary-caches [% HTML.escape(binaryCachePublicUri) %][% END %]</code></div></div>
               [% END %]
               [% IF localStore %]
-                <a class="btn btn-secondary btn-sm" href="[% contents %]">Contents</a>
+                <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => contents) %]>Contents</a>
               [% END %]
             </td>
           </tr>
@@ -100,8 +100,8 @@
               [% filename = build.nixname _ (product.subtype ? "-" _ product.subtype : "") _ ".closure.gz" %]
               [% uri = c.uri_for('/build' build.id 'nix' 'closure' filename ) %]
 
-              <a href="[% uri %]">
-                <tt>[% product.path %]</tt>
+              <a [% HTML.attributes(href => uri) %]>
+                <tt>[% product.path | html %]</tt>
               </a>
             </td>
             <td>
@@ -110,16 +110,16 @@
                 all its dependencies can be unpacked into your local Nix
                 store by doing:</p>
 
-                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>gunzip &lt; [% filename %] | nix-store --import</code></div></div>
+                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>gunzip &lt; [% HTML.escape(filename) %] | nix-store --import</code></div></div>
 
                 <p>or to download and unpack in one command:</p>
 
-                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% uri %] | gunzip | nix-store --import</code></div></div>
+                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>curl [% HTML.escape(uri) %] | gunzip | nix-store --import</code></div></div>
 
                 <p>The package can then be found in the path <tt>[%
-                product.path %]</tt>.  You’ll probably also want to do</p>
+                product.path | html %]</tt>.  You’ll probably also want to do</p>
 
-                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [% product.path %]</code></div></div>
+                <div class="card bg-light"><div class="card-body p-2"><code><span class="shell-prompt">$ </span>nix-env -i [% HTML.escape(product.path) %]</code></div></div>
 
                 <p>to actually install the package in your Nix user environment.</p>
 
@@ -174,16 +174,16 @@
             </td>
             <td>
               Channel expression tarball
-              [% IF product.subtype != "-" %]for <tt>[% product.subtype %]</tt>[% END %]
+              [% IF product.subtype != "-" %]for <tt>[% product.subtype | html %]</tt>[% END %]
             </td>
           [% ELSE %]
             <td>File</td>
-            <td>[% product.subtype %]</td>
+            <td>[% HTML.escape(product.subtype) %]</td>
           [% END %]
         [% END %]
         <td>
-          <a href="[% uri %]">
-            <tt>[% product.name %]</tt>
+          <a [% HTML.attributes(href => uri) %]>
+            <tt>[% product.name | html %]</tt>
           </a>
         </td>
         <td>
@@ -191,12 +191,12 @@
             <table class="info-table">
               [% INCLUDE renderProductLinks %]
               <tr><th>File size:</th><td>[% product.filesize %] bytes ([% mibs(product.filesize / (1024 * 1024)) %] MiB)</td></tr>
-              <tr><th>SHA-256 hash:</th><td><tt>[% product.sha256hash %]</tt></td></tr>
-              <tr><th>Full path:</th><td><tt>[% product.path %]</tt></td></tr>
+              <tr><th>SHA-256 hash:</th><td><tt>[% product.sha256hash | html %]</tt></td></tr>
+              <tr><th>Full path:</th><td><tt>[% product.path | html %]</tt></td></tr>
             </table>
           [% END %]
           [% IF localStore %]
-            <a class="btn btn-secondary btn-sm" href="[% contents %]">Contents</a>
+            <a class="btn btn-secondary btn-sm" [% HTML.attributes(href => contents) %]>Contents</a>
           [% END %]
         </td>
       </tr>
@@ -211,15 +211,15 @@
         [% CASE "coverage" %]
           <td>Code coverage</td>
           <td>
-            <a href="[% uri %]">
+            <a [% HTML.attributes(href => uri) %]>
               Analysis report
             </a>
           </td>
         [% CASE DEFAULT %]
           <td>Report</td>
           <td>
-            <a href="[% uri %]">
-              <tt>[% product.subtype %]</tt>
+            <a [% HTML.attributes(href => uri) %]>
+              <tt>[% product.subtype | html %]</tt>
             </a>
           </td>
         [% END %]
@@ -240,7 +240,7 @@
           Documentation
         </td>
         <td>
-        <a href="[% uri %]">
+        <a [% HTML.attributes(href => uri) %]>
           [% SWITCH product.subtype %]
           [% CASE "readme" %]
             Read Me!
@@ -249,7 +249,7 @@
           [% CASE "release-notes" %]
             Release notes
           [% CASE DEFAULT %]
-            [% product.subtype %]
+            [% HTML.escape(product.subtype) %]
           [% END %]
         </a>
         </td>
@@ -266,12 +266,12 @@
 
       <tr class="product">
         <td>
-          <tt>[% product.type %]</tt>
+          <tt>[% product.type | html %]</tt>
         </td>
         <td>
         </td>
         <td>
-         [% product %]
+         [% HTML.escape(product) %]
         </td>
         <td>
         </td>

src/root/queue-summary.tt

@@ -39,7 +39,7 @@
       [% FOREACH s IN systems %]
         <tr>
           <td><tt>[% HTML.escape(s.system) %]</tt></td>
-          <td>[% s.c %]</td>
+          <td>[% HTML.escape(s.c) %]</td>
         </tr>
       [% END %]
     </tdata>

src/root/reproduce.tt

@@ -117,7 +117,7 @@ else
     revCount="$(cat "$tmpDir/[% input.name %]/rev-count")"
 fi
 
-args+=(--arg '[% input.name %]' "{ outPath = $inputDir; rev = \"[% input.revision %]\"; shortRev = \"[% input.revision.substr(0, 7) %]\"; revCount = $revCount; }")
+args+=(--arg '[% input.name %]' "{ outPath = $inputDir; rev = \"[% input.revision %]\"; shortRev = \"[% input.frontend_revision %]\"; revCount = $revCount; }")
 
 [%+ ELSIF input.type == "hg" %]
 

src/root/runcommand-log.tt

@@ -12,9 +12,9 @@
   is
   [% END %]
   the output of a RunCommand execution of the command <tt>[% HTML.escape(runcommandlog.command) %]</tt>
-  on <a href="[% c.uri_for('/build', build.id) %]">Build [% build.id %]</a>.
+  on <a [% HTML.attributes(href => c.uri_for('/build', build.id)) %]>Build [% HTML.escape(build.id) %]</a>.
   [% IF tail %]
-  The <a href="[% c.uri_for('/build', build.id, 'runcommandlog', runcommandlog.uuid) %]">full log</a> is also available.
+  The <a [% HTML.attributes(href => c.uri_for('/build', build.id, 'runcommandlog', runcommandlog.uuid)) %]>full log</a> is also available.
   [% END %]
 </p>
 
@@ -33,7 +33,7 @@
         [% IF tail %]
         /* The server may give us a full log (e.g. if the log is in
            S3). So extract the last lines. */
-        log_data = log_data.split("\n").slice(-[%tail%]).join("\n");
+        log_data = log_data.split("\n").slice(-[% HTML.escape(tail) %]).join("\n");
         [% END %]
 
         $("#contents").text(log_data);

src/root/search.tt

@@ -7,7 +7,7 @@
 
 [% IF builds.size > 0 %]
 
-  <p>The following builds match your query:[% IF builds.size > limit %] <span class="text-warning">(first [% limit %] results only)</span>[% END %]</p>
+  <p>The following builds match your query:[% IF builds.size > limit %] <span class="text-warning">(first [% HTML.escape(limit) %] results only)</span>[% END %]</p>
 
   [% INCLUDE renderBuildList %]
 
@@ -58,7 +58,7 @@
 
 [% IF jobs.size > 0; matched = 1 %]
 
-  <p>The following jobs match your query:[% IF jobs.size > limit %] <span class="text-warning">(first [% limit %] results only)</span>[% END %]</p>
+  <p>The following jobs match your query:[% IF jobs.size > limit %] <span class="text-warning">(first [% HTML.escape(limit) %] results only)</span>[% END %]</p>
 
   <table class="table table-striped table-condensed clickable-rows">
     <thead>

src/root/steps.tt

@@ -2,7 +2,7 @@
 [% PROCESS common.tt %]
 
 <p>Showing steps [% (page - 1) * resultsPerPage + 1 %] - [% (page - 1)
-* resultsPerPage + steps.size %] of about [% total %] in
+* resultsPerPage + steps.size %] of about [% HTML.escape(total) %] in
 order of descending finish time.</p>
 
 <table class="table table-striped table-condensed clickable-rows">
@@ -24,8 +24,8 @@ order of descending finish time.</p>
         <td>[% INCLUDE renderBuildStatusIcon buildstatus=step.status size=16 %]</td>
         <td><tt>[% step.drvpath.match('-(.*).drv').0 %]</tt></td>
         <td><tt>[% INCLUDE renderFullJobNameOfBuild build=step.build %]</tt></td>
-        <td><a href="[% c.uri_for('/build' step.build.id) %]">[% step.build.id %]</a></td>
-        <td><a class="row-link" href="[% c.uri_for('/build' step.build.id 'nixlog' step.stepnr 'tail') %]">[% step.stepnr %]</a></td>
+        <td><a [% HTML.attributes(href => c.uri_for('/build' step.build.id)) %]>[% HTML.escape(step.build.id) %]</a></td>
+        <td><a class="row-link" [% HTML.attributes(href => c.uri_for('/build' step.build.id 'nixlog' step.stepnr 'tail')) %]>[% HTML.escape(step.stepnr) %]</a></td>
         <td>[% INCLUDE renderRelativeDate timestamp=step.stoptime %]</td>
         <td style="width: 10em">[% INCLUDE renderDuration duration = step.stoptime - step.starttime %] </td>
         <td><tt>[% INCLUDE renderMachineName machine=step.machine %]</tt></td>

src/root/style.tt

@@ -4,14 +4,14 @@
 
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 
-<link href="[% c.uri_for("/static/fontawesome/css/all.css") %]" rel="stylesheet" />
+<link [% HTML.attributes(href => c.uri_for("/static/fontawesome/css/all.css")) %] rel="stylesheet" />
 <script type="text/javascript" src="[% c.uri_for("/static/js/popper.min.js") %]"></script>
 <script type="text/javascript" src="[% c.uri_for("/static/bootstrap/js/bootstrap.min.js") %]"></script>
-<link href="[% c.uri_for("/static/bootstrap/css/bootstrap.min.css") %]" rel="stylesheet" />
+<link [% HTML.attributes(href => c.uri_for("/static/bootstrap/css/bootstrap.min.css")) %] rel="stylesheet" />
 
 <!-- hydra.css may need to be moved to before boostrap to make the @media rule work. -->
-<link rel="stylesheet" href="[% c.uri_for("/static/css/hydra.css") %]" type="text/css" />
-<link rel="stylesheet" href="[% c.uri_for("/static/css/rotated-th.css") %]" type="text/css" />
+<link rel="stylesheet" [% HTML.attributes(href => c.uri_for("/static/css/hydra.css")) %] type="text/css" />
+<link rel="stylesheet" [% HTML.attributes(href => c.uri_for("/static/css/rotated-th.css")) %] type="text/css" />
 
 <style>
   .popover { max-width: 40%; }
@@ -19,6 +19,6 @@
 
 <script type="text/javascript" src="[% c.uri_for("/static/js/bootbox.min.js") %]"></script>
 
-<link rel="stylesheet" href="[% c.uri_for("/static/css/tree.css") %]" type="text/css" />
+<link rel="stylesheet" [% HTML.attributes(href => c.uri_for("/static/css/tree.css")) %] type="text/css" />
 
 <script type="text/javascript" src="[% c.uri_for("/static/js/common.js") %]"></script>

src/root/topbar.tt

@@ -1,6 +1,6 @@
 [% BLOCK makeSubMenu %]
   <li class="nav-item dropdown" [% IF id; HTML.attributes(id => id); END %] >
-    <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown">[% title %]<b class="caret"></b></a>
+    <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown">[% HTML.escape(title) %]<b class="caret"></b></a>
     <div class="dropdown-menu[% IF align == 'right' %] dropdown-menu-right[% END %]">
       [% content %]
     </div>
@@ -143,7 +143,7 @@
         <div class="dropdown-divider"></div>
       [% END %]
       [% IF c.config.github_client_id %]
-        <a class="dropdown-item" href="/github-redirect?after=[% c.req.path %]">Sign in with GitHub</a>
+        <a class="dropdown-item" href="/github-redirect?after=[% c.req.path | uri %]">Sign in with GitHub</a>
         <div class="dropdown-divider"></div>
       [% END %]
       <a class="dropdown-item" href="#hydra-signin" data-toggle="modal">Sign in with a Hydra account</a>

src/root/user.tt

@@ -17,7 +17,7 @@
       disabled="disabled"
     [% END %]
     [% HTML.attributes(id => "role-${role}", value => role) %] />
-  <label [% HTML.attributes(for => "role-${role}") %]> [% role %]</label><br />
+  <label [% HTML.attributes(for => "role-${role}") %]> [% HTML.escape(role) %]</label><br />
   [% END %]
 
 <form>

src/root/users.tt

@@ -14,17 +14,17 @@
   <tbody>
     [% FOREACH u IN users %]
       <tr>
-        <td><a class="row-link" href="[% c.uri_for(c.controller('User').action_for('edit'), [u.username]) %]">[% HTML.escape(u.username) %]</a></td>
+        <td><a class="row-link" [% HTML.attributes(href => c.uri_for(c.controller('User').action_for('edit'), [u.username])) %]>[% HTML.escape(u.username) %]</a></td>
         <td>[% HTML.escape(u.fullname) %]</td>
         <td>[% HTML.escape(u.emailaddress) %]</td>
-        <td>[% FOREACH r IN u.userroles %]<i>[% r.role %]</i> [% END %]</td>
+        <td>[% FOREACH r IN u.userroles %]<i>[% HTML.escape(r.role) %]</i> [% END %]</td>
         <td>[% IF u.emailonerror %]Yes[% ELSE %]No[% END %]</td>
       </tr>
     [% END %]
   </tbody>
 </table>
 
-<a class="btn btn-primary" href="[% c.uri_for(c.controller('Root').action_for('register')) %]">
+<a class="btn btn-primary" [% HTML.attributes(href => c.uri_for(c.controller('Root').action_for('register'))) %]>
   <i class="fas fa-plus"></i> Add a new user
 </a>
 

src/script/hydra-eval-jobset

@@ -160,7 +160,7 @@ sub fetchInputSystemBuild {
     $jobsetName ||= $jobset->name;
 
     my @latestBuilds = $db->resultset('LatestSucceededForJobName')
-        ->search({}, {bind => [$jobsetName, $jobName]});
+        ->search({}, {bind => [$projectName, $jobsetName, $jobName]});
 
     my @validBuilds = ();
     foreach my $build (@latestBuilds) {
@@ -366,7 +366,13 @@ sub evalJobs {
             "or flake.checks " .
             "or (throw \"flake '$flakeRef' does not provide any Hydra jobs or checks\")";
 
-        @cmd = ("nix-eval-jobs", "--expr", $nix_expr);
+        @cmd = ("nix-eval-jobs",
+                # Disable the eval cache to prevent SQLite database contention.
+                # Since Hydra typically evaluates each revision only once,
+                # parallel workers would compete for database locks without
+                # providing any benefit from caching.
+                "--option", "eval-cache", "false",
+                "--expr", $nix_expr);
     } else {
         my $nixExprInput = $inputInfo->{$nixExprInputName}->[0]
             or die "cannot find the input containing the job expression\n";
@@ -382,7 +388,7 @@ sub evalJobs {
     push @cmd, "--meta";
     push @cmd, "--constituents";
     push @cmd, "--force-recurse";
-    push @cmd, ("--option", "allow-import-from-derivation", "false") if $config->{allow_import_from_derivation} // "true" ne "true";
+    push @cmd, ("--option", "allow-import-from-derivation", "false") if ($config->{allow_import_from_derivation} // "false") ne "true";
     push @cmd, ("--workers", $config->{evaluator_workers} // 1);
     push @cmd, ("--max-memory-size", $config->{evaluator_max_memory_size} // 4096);
 
@@ -885,6 +891,7 @@ sub checkJobsetWrapped {
                         , type => $input->{type}
                         , uri => $input->{uri}
                         , revision => $input->{revision}
+                        , shortRevLength => length($input->{shortRev})
                         , value => $input->{value}
                         , dependency => $input->{id}
                         , path => $input->{storePath} || "" # !!! temporary hack

src/script/hydra-send-stats

@@ -9,6 +9,7 @@ use Net::Statsd;
 use File::Slurper qw(read_text);
 use JSON::MaybeXS;
 use Getopt::Long qw(:config gnu_getopt);
+use IPC::Run3;
 
 STDERR->autoflush(1);
 binmode STDERR, ":encoding(utf8)";
@@ -25,10 +26,11 @@ sub gauge {
 }
 
 sub sendQueueRunnerStats {
-    my $s = `hydra-queue-runner --status`;
-    die "cannot get queue runner stats\n" if $? != 0;
+    my ($stdout, $stderr);
+    run3(['hydra-queue-runner', '--status'], \undef, \$stdout, \$stderr);
+    die "cannot get queue runner stats: $stderr\n" if $? != 0;
 
-    my $json = decode_json($s) or die "cannot decode queue runner status";
+    my $json = decode_json($stdout) or die "cannot decode queue runner status";
 
     gauge("hydra.queue.up", $json->{status} eq "up" ? 1 : 0);
 

src/sql/hydra.sql

@@ -487,11 +487,12 @@ create table JobsetEvalInputs (
     altNr         integer not null,
 
     -- Copied from the jobsetinputs from which the build was created.
-    type          text not null,
-    uri           text,
-    revision      text,
-    value         text,
-    dependency    integer, -- build ID of the input, for type == 'build'
+    type           text not null,
+    uri            text,
+    revision       text,
+    shortRevLength smallint, -- length of a short revision at the time this was checked out
+    value          text,
+    dependency     integer, -- build ID of the input, for type == 'build'
 
     path          text,
 

src/sql/meson.build

@@ -1,90 +1,7 @@
-sql_files = files(
-  'hydra.sql',
-  'test.sql',
-  'update-dbix.pl',
-  'upgrade-2.sql',
-  'upgrade-3.sql',
-  'upgrade-4.sql',
-  'upgrade-5.sql',
-  'upgrade-6.sql',
-  'upgrade-7.sql',
-  'upgrade-8.sql',
-  'upgrade-9.sql',
-  'upgrade-10.sql',
-  'upgrade-11.sql',
-  'upgrade-12.sql',
-  'upgrade-13.sql',
-  'upgrade-14.sql',
-  'upgrade-15.sql',
-  'upgrade-16.sql',
-  'upgrade-17.sql',
-  'upgrade-18.sql',
-  'upgrade-19.sql',
-  'upgrade-20.sql',
-  'upgrade-21.sql',
-  'upgrade-22.sql',
-  'upgrade-23.sql',
-  'upgrade-24.sql',
-  'upgrade-25.sql',
-  'upgrade-26.sql',
-  'upgrade-27.sql',
-  'upgrade-28.sql',
-  'upgrade-29.sql',
-  'upgrade-30.sql',
-  'upgrade-31.sql',
-  'upgrade-32.sql',
-  'upgrade-33.sql',
-  'upgrade-34.sql',
-  'upgrade-35.sql',
-  'upgrade-36.sql',
-  'upgrade-37.sql',
-  'upgrade-38.sql',
-  'upgrade-39.sql',
-  'upgrade-40.sql',
-  'upgrade-41.sql',
-  'upgrade-42.sql',
-  'upgrade-43.sql',
-  'upgrade-44.sql',
-  'upgrade-45.sql',
-  'upgrade-46.sql',
-  'upgrade-47.sql',
-  'upgrade-48.sql',
-  'upgrade-49.sql',
-  'upgrade-50.sql',
-  'upgrade-51.sql',
-  'upgrade-52.sql',
-  'upgrade-53.sql',
-  'upgrade-54.sql',
-  'upgrade-55.sql',
-  'upgrade-56.sql',
-  'upgrade-57.sql',
-  'upgrade-58.sql',
-  'upgrade-59.sql',
-  'upgrade-60.sql',
-  'upgrade-61.sql',
-  'upgrade-62.sql',
-  'upgrade-63.sql',
-  'upgrade-64.sql',
-  'upgrade-65.sql',
-  'upgrade-66.sql',
-  'upgrade-67.sql',
-  'upgrade-68.sql',
-  'upgrade-69.sql',
-  'upgrade-70.sql',
-  'upgrade-71.sql',
-  'upgrade-72.sql',
-  'upgrade-73.sql',
-  'upgrade-74.sql',
-  'upgrade-75.sql',
-  'upgrade-76.sql',
-  'upgrade-77.sql',
-  'upgrade-78.sql',
-  'upgrade-79.sql',
-  'upgrade-80.sql',
-  'upgrade-81.sql',
-  'upgrade-82.sql',
-  'upgrade-83.sql',
-  'upgrade-84.sql',
+# Install all SQL files in this directory.
+# This includes hydra.sql, test.sql, update-dbix.pl, and all upgrade-*.sql files.
+install_subdir('.',
+  install_dir: hydra_libexecdir / 'sql',
+  strip_directory: true,
+  exclude_files: ['meson.build', 'update-dbix-harness.sh'],
 )
-
-install_data(sql_files, install_dir: hydra_libexecdir / 'sql')

src/sql/upgrade-85.sql

@@ -0,0 +1 @@
+ALTER TABLE JobsetEvalInputs ADD COLUMN shortRevLength smallint;

t/Hydra/Controller/API/checks.t

@@ -6,6 +6,7 @@ use Catalyst::Test ();
 use HTTP::Request;
 use HTTP::Request::Common;
 use JSON::MaybeXS qw(decode_json encode_json);
+use Digest::SHA qw(hmac_sha256_hex);
 
 sub is_json {
     my ($response, $message) = @_;
@@ -21,7 +22,13 @@ sub is_json {
     return $data;
 }
 
-my $ctx = test_context();
+my $ctx = test_context(hydra_config => qq|
+    <webhooks>
+        <github>
+            secret = test
+        </github>
+    </webhooks>
+|);
 Catalyst::Test->import('Hydra');
 
 # Create a user to log in to
@@ -188,16 +195,20 @@ subtest "/api/push-github" => sub {
         my $jobsetinput = $jobset->jobsetinputs->create({name => "src", type => "git"});
         $jobsetinput->jobsetinputalts->create({altnr => 0, value => "https://github.com/OWNER/LEGACY-REPO.git"});
 
+        my $payload = encode_json({
+            repository => {
+                owner => {
+                    name => "OWNER",
+                },
+                name => "LEGACY-REPO",
+            }
+        });
+        my $signature = "sha256=" . hmac_sha256_hex($payload, 'test');
+
         my $req = POST '/api/push-github',
             "Content-Type" => "application/json",
-            "Content" => encode_json({
-                repository => {
-                    owner => {
-                        name => "OWNER",
-                    },
-                    name => "LEGACY-REPO",
-                }
-            });
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
 
         my $response = request($req);
         ok($response->is_success, "The API enpdoint for triggering jobsets returns 200.");
@@ -214,16 +225,20 @@ subtest "/api/push-github" => sub {
             emailoverride => ""
         });
 
+        my $payload = encode_json({
+            repository => {
+                owner => {
+                    name => "OWNER",
+                },
+                name => "FLAKE-REPO",
+            }
+        });
+        my $signature = "sha256=" . hmac_sha256_hex($payload, 'test');
+
         my $req = POST '/api/push-github',
             "Content-Type" => "application/json",
-            "Content" => encode_json({
-                repository => {
-                    owner => {
-                        name => "OWNER",
-                    },
-                    name => "FLAKE-REPO",
-                }
-            });
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
 
         my $response = request($req);
         ok($response->is_success, "The API enpdoint for triggering jobsets returns 200.");

t/Hydra/Controller/API/webhooks.t

@@ -0,0 +1,209 @@
+use strict;
+use warnings;
+use Setup;
+use Test2::V0;
+use Test2::Tools::Subtest qw(subtest_streamed);
+use HTTP::Request;
+use HTTP::Request::Common;
+use JSON::MaybeXS qw(decode_json encode_json);
+use Digest::SHA qw(hmac_sha256_hex);
+
+# Create webhook configuration
+my $github_secret = "github-test-secret-12345";
+my $github_secret_alt = "github-alternative-secret";
+my $gitea_secret = "gitea-test-secret-abcdef";
+
+# Create a temporary directory first to get the path
+use File::Temp;
+my $tmpdir = File::Temp->newdir(CLEANUP => 0);
+my $tmpdir_path = $tmpdir->dirname;
+
+# Write webhook secrets configuration before creating test context
+mkdir "$tmpdir_path/hydra-data";
+
+# Create webhook secrets configuration file
+my $webhook_config = qq|
+<github>
+  secret = $github_secret
+  secret = $github_secret_alt
+</github>
+<gitea>
+  secret = $gitea_secret
+</gitea>
+|;
+write_file("$tmpdir_path/hydra-data/webhook-secrets.conf", $webhook_config);
+chmod 0600, "$tmpdir_path/hydra-data/webhook-secrets.conf";
+
+# Create test context with webhook configuration using include
+my $ctx = test_context(
+    tmpdir => $tmpdir,
+    hydra_config => qq|
+<webhooks>
+  Include $tmpdir_path/hydra-data/webhook-secrets.conf
+</webhooks>
+|
+);
+
+# Import Catalyst::Test after test context is set up
+require Catalyst::Test;
+Catalyst::Test->import('Hydra');
+
+# Create a project and jobset for testing
+my $user = $ctx->db()->resultset('Users')->create({
+    username => "webhook-test",
+    emailaddress => 'webhook-test@example.org',
+    password => ''
+});
+
+my $project = $ctx->db()->resultset('Projects')->create({
+    name => "webhook-test",
+    displayname => "webhook-test",
+    owner => $user->username
+});
+
+my $jobset = $project->jobsets->create({
+    name => "test-jobset",
+    nixexprinput => "src",
+    nixexprpath => "default.nix",
+    emailoverride => ""
+});
+
+my $jobsetinput = $jobset->jobsetinputs->create({name => "src", type => "git"});
+$jobsetinput->jobsetinputalts->create({altnr => 0, value => "https://github.com/owner/repo.git"});
+
+# Create another jobset for Gitea
+my $jobset_gitea = $project->jobsets->create({
+    name => "test-jobset-gitea",
+    nixexprinput => "src",
+    nixexprpath => "default.nix",
+    emailoverride => ""
+});
+
+my $jobsetinput_gitea = $jobset_gitea->jobsetinputs->create({name => "src", type => "git"});
+$jobsetinput_gitea->jobsetinputalts->create({altnr => 0, value => "https://gitea.example.com/owner/repo.git"});
+
+subtest "GitHub webhook authentication" => sub {
+    my $payload = encode_json({
+        repository => {
+            owner => { name => "owner" },
+            name => "repo"
+        }
+    });
+
+    subtest "without authentication - properly rejects" => sub {
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 401, "Unauthenticated request is rejected");
+
+        my $data = decode_json($response->content);
+        is($data->{error}, "Missing webhook signature", "Proper error message for missing signature");
+    };
+
+    subtest "with valid signature" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, $github_secret);
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 200, "Valid signature is accepted");
+
+        if ($response->code != 200) {
+            diag("Error response: " . $response->content);
+        }
+
+        my $data = decode_json($response->content);
+        is($data->{jobsetsTriggered}, ["webhook-test:test-jobset"], "Jobset was triggered with valid authentication");
+    };
+
+    subtest "with invalid signature" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, "wrong-secret");
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 401, "Invalid signature is rejected");
+
+        my $data = decode_json($response->content);
+        is($data->{error}, "Invalid webhook signature", "Proper error message for invalid signature");
+    };
+
+    subtest "with second valid secret (multiple secrets configured)" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, $github_secret_alt);
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 200, "Second valid secret is accepted");
+    };
+};
+
+subtest "Gitea webhook authentication" => sub {
+    my $payload = encode_json({
+        repository => {
+            owner => { username => "owner" },
+            name => "repo",
+            clone_url => "https://gitea.example.com/owner/repo.git"
+        }
+    });
+
+    subtest "without authentication - properly rejects" => sub {
+        my $req = POST '/api/push-gitea',
+            "Content-Type" => "application/json",
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 401, "Unauthenticated request is rejected");
+
+        my $data = decode_json($response->content);
+        is($data->{error}, "Missing webhook signature", "Proper error message for missing signature");
+    };
+
+    subtest "with valid signature" => sub {
+        # Note: Gitea doesn't use sha256= prefix
+        my $signature = hmac_sha256_hex($payload, $gitea_secret);
+
+        my $req = POST '/api/push-gitea',
+            "Content-Type" => "application/json",
+            "X-Gitea-Signature" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 200, "Valid signature is accepted");
+
+        if ($response->code != 200) {
+            diag("Error response: " . $response->content);
+        }
+
+        my $data = decode_json($response->content);
+        is($data->{jobsetsTriggered}, ["webhook-test:test-jobset-gitea"], "Jobset was triggered with valid authentication");
+    };
+
+    subtest "with invalid signature" => sub {
+        my $signature = hmac_sha256_hex($payload, "wrong-secret");
+
+        my $req = POST '/api/push-gitea',
+            "Content-Type" => "application/json",
+            "X-Gitea-Signature" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 401, "Invalid signature is rejected");
+
+        my $data = decode_json($response->content);
+        is($data->{error}, "Invalid webhook signature", "Proper error message for invalid signature");
+    };
+};
+
+done_testing;

t/Hydra/Controller/Build/download.t

@@ -0,0 +1,74 @@
+use strict;
+use warnings;
+use Setup;
+use Test2::V0;
+use Catalyst::Test ();
+use HTTP::Request::Common;
+
+my %ctx = test_init();
+
+Catalyst::Test->import('Hydra');
+
+my $db = Hydra::Model::DB->new;
+hydra_setup($db);
+
+my $project = $db->resultset('Projects')->create({name => "tests", displayname => "", owner => "root"});
+
+# Create a simple Nix expression that uses the existing build-product-simple.sh
+my $jobsdir = $ctx{jobsdir};
+my $nixfile = "$jobsdir/simple.nix";
+open(my $fh, '>', $nixfile) or die "Cannot create simple.nix: $!";
+print $fh <<"EOF";
+with import ./config.nix;
+{
+  simple = mkDerivation {
+    name = "build-product-simple";
+    builder = ./build-product-simple.sh;
+  };
+}
+EOF
+close($fh);
+
+# Create a jobset that uses the simple build
+my $jobset = createBaseJobset("simple", "simple.nix", $ctx{jobsdir});
+
+ok(evalSucceeds($jobset), "Evaluating simple.nix should succeed");
+is(nrQueuedBuildsForJobset($jobset), 1, "Should have 1 build queued");
+
+my $build = (queuedBuildsForJobset($jobset))[0];
+ok(runBuild($build), "Build should succeed");
+
+$build->discard_changes();
+
+subtest "Test downloading build products (regression test for #1520)" => sub {
+    # Get the build URL
+    my $build_id = $build->id;
+
+    # First, check that the build has products
+    my @products = $build->buildproducts;
+    ok(scalar @products >= 1, "Build should have at least 1 product");
+
+    # Find the doc product (created by build-product-simple.sh)
+    my ($doc_product) = grep { $_->type eq "doc" } @products;
+    ok($doc_product, "Should have a doc product");
+
+    if ($doc_product) {
+        # Test downloading via the download endpoint
+        # This tests the serveFile function which was broken in #1520
+        my $download_url = "/build/$build_id/download/" . $doc_product->productnr . "/text.txt";
+        my $response = request(GET $download_url);
+
+        # The key test: should not return 500 error with "Can't use string ("1") as a HASH ref"
+        isnt($response->code, 500, "Download should not return 500 error (regression test for #1520)");
+        is($response->code, 200, "Download should succeed with 200")
+            or diag("Response code: " . $response->code . ", Content: " . $response->content);
+
+        like($response->header('Content-Security-Policy') // '', qr/\bsandbox\b/, 'CSP header present with sandbox');
+
+        # Check that we get actual content
+        ok(length($response->content) > 0, "Should receive file content");
+        is($response->content, "Hello\n", "Should get expected content");
+    }
+};
+
+done_testing();

t/Hydra/Plugin/gitea.t

@@ -50,7 +50,7 @@ my $pid;
 if (!defined($pid = fork())) {
     die "Cannot fork(): $!";
 } elsif ($pid == 0) {
-    exec("python3 $ctx{jobsdir}/server.py $filename");
+    exec("python3", "$ctx{jobsdir}/server.py", $filename);
 } else {
     my $newbuild = $db->resultset('Builds')->find($build->id);
     is($newbuild->finished, 1, "Build should be finished.");
@@ -58,24 +58,23 @@ if (!defined($pid = fork())) {
     ok(sendNotifications(), "Sent notifications");
 
     kill('INT', $pid);
+    waitpid($pid, 0);
 }
 
 # We expect $ctx{jobsdir}/server.py to create the file at $filename, but the time it
 # takes to do so is non-deterministic. We need to give it _some_ time to hopefully
 # settle -- but not too much that it drastically slows things down.
 for my $i (1..10) {
-    if (! -f $filename) {
-       diag("$filename does not yet exist");
-       sleep(1);
-    }
+    last if -f $filename;
+    diag("$filename does not yet exist");
+    sleep(1);
 }
 
 open(my $fh, "<", $filename) or die ("Can't open(): $!\n");
-my $i = 0;
-my $uri = <$fh>;
+my $request_uri = <$fh>;
 my $data = <$fh>;
 
-ok(index($uri, "gitea/api/v1/repos/root/foo/statuses") != -1, "Correct URL");
+ok(index($request_uri, "gitea/api/v1/repos/root/foo/statuses") != -1, "Correct URL");
 
 my $json = JSON->new;
 my $content;

t/content-addressed/basic.t

@@ -19,6 +19,8 @@ use Test2::V0;
 require Catalyst::Test;
 Catalyst::Test->import('Hydra');
 
+skip_all("This test has been failing since the upgrade to Nix 2.30, and we don't yet know how to fix it.");
+
 my $db = Hydra::Model::DB->new;
 hydra_setup($db);
 

t/perlcritic.pl

@@ -10,4 +10,7 @@ my $dirname = abs_path(dirname(__FILE__) . "/..");
 print STDERR "Executing perlcritic against $dirname\n";
 chdir($dirname) or die "Failed to enter $dirname\n";
 
-exec("perlcritic", ".") or die "Failed to execute perlcritic.";
+# Add src/lib to PERL5LIB so perlcritic can find our custom policies
+$ENV{PERL5LIB} = "src/lib" . ($ENV{PERL5LIB} ? ":$ENV{PERL5LIB}" : "");
+
+exec("perlcritic", "--quiet", ".") or die "Failed to execute perlcritic.";

t/queue-runner/notifications.t

@@ -109,7 +109,7 @@ subtest "Build: not substitutable, unsubstitutable" => sub {
     subtest "Second notification: step_finished" => sub {
         my ($channelName, $pid, $payload) = @{$dbh->func("pg_notifies")};
         is($channelName, "step_finished", "The event is for the step finishing");
-        my ($buildId, $stepNr, $logFile) = split "\t", $payload;
+        my ($buildId, $stepNr, $logFile) = split /\t/, $payload;
         is($buildId, $build->id, "The payload is the build's ID");
         is($stepNr, 1, "The payload is the build's step number");
         isnt($logFile, undef, "The log file is passed");

t/s3-backup-test.pl

@@ -19,11 +19,11 @@ my $jobsetinput;
 
 $jobsetinput = $jobset->jobsetinputs->create({name => "jobs", type => "path"});
 $jobsetinput->jobsetinputalts->create({altnr => 0, value => getcwd . "/jobs"});
-system("hydra-eval-jobset " . $jobset->project->name . " " . $jobset->name);
+system("hydra-eval-jobset", $jobset->project->name, $jobset->name);
 
 my $successful_hash;
 foreach my $build ($jobset->builds->search({finished => 0})) {
-    system("hydra-build " . $build->id);
+    system("hydra-build", $build->id);
     my @outputs = $build->buildoutputs->all;
     my $hash = substr basename($outputs[0]->path), 0, 32;
     if ($build->job->name eq "job") {