mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 14:06:16 +02:00
* Added a test that make sure that users cannot register
specially-crafted derivations that produce output paths belonging to other derivations. This could be used to inject malware into the store.
This commit is contained in:
parent
4bdb51e621
commit
d2bfe1b071
3 changed files with 62 additions and 1 deletions
|
@ -8,7 +8,7 @@ TESTS = init.sh hash.sh lang.sh add.sh simple.sh dependencies.sh \
|
||||||
referrers.sh user-envs.sh logging.sh nix-build.sh misc.sh fixed.sh \
|
referrers.sh user-envs.sh logging.sh nix-build.sh misc.sh fixed.sh \
|
||||||
gc-runtime.sh install-package.sh check-refs.sh filter-source.sh \
|
gc-runtime.sh install-package.sh check-refs.sh filter-source.sh \
|
||||||
remote-store.sh export.sh export-graph.sh negative-caching.sh \
|
remote-store.sh export.sh export-graph.sh negative-caching.sh \
|
||||||
binary-patching.sh timeout.sh
|
binary-patching.sh timeout.sh secure-drv-outputs.sh
|
||||||
|
|
||||||
XFAIL_TESTS =
|
XFAIL_TESTS =
|
||||||
|
|
||||||
|
@ -34,5 +34,6 @@ EXTRA_DIST = $(TESTS) \
|
||||||
negative-caching.nix \
|
negative-caching.nix \
|
||||||
binary-patching.nix \
|
binary-patching.nix \
|
||||||
timeout.nix timeout.builder.sh \
|
timeout.nix timeout.builder.sh \
|
||||||
|
secure-drv-outputs.nix \
|
||||||
$(wildcard lang/*.nix) $(wildcard lang/*.exp) $(wildcard lang/*.exp.xml) $(wildcard lang/*.flags) \
|
$(wildcard lang/*.nix) $(wildcard lang/*.exp) $(wildcard lang/*.exp.xml) $(wildcard lang/*.flags) \
|
||||||
common.sh.in
|
common.sh.in
|
||||||
|
|
23
tests/secure-drv-outputs.nix
Normal file
23
tests/secure-drv-outputs.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
with import ./config.nix;
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
good = mkDerivation {
|
||||||
|
name = "good";
|
||||||
|
builder = builtins.toFile "builder"
|
||||||
|
''
|
||||||
|
mkdir $out
|
||||||
|
touch $out/good
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
bad = mkDerivation {
|
||||||
|
name = "good";
|
||||||
|
builder = builtins.toFile "builder"
|
||||||
|
''
|
||||||
|
mkdir $out
|
||||||
|
touch $out/bad
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
37
tests/secure-drv-outputs.sh
Normal file
37
tests/secure-drv-outputs.sh
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Test that users cannot register specially-crafted derivations that
|
||||||
|
# produce output paths belonging to other derivations. This could be
|
||||||
|
# used to inject malware into the store.
|
||||||
|
|
||||||
|
source common.sh
|
||||||
|
|
||||||
|
clearStore
|
||||||
|
clearManifests
|
||||||
|
|
||||||
|
startDaemon
|
||||||
|
|
||||||
|
# Determine the output path of the "good" derivation.
|
||||||
|
goodOut=$($nixstore -q $($nixinstantiate ./secure-drv-outputs.nix -A good))
|
||||||
|
|
||||||
|
# Instantiate the "bad" derivation.
|
||||||
|
badDrv=$($nixinstantiate ./secure-drv-outputs.nix -A bad)
|
||||||
|
badOut=$($nixstore -q $badDrv)
|
||||||
|
|
||||||
|
# Rewrite the bad derivation to produce the output path of the good
|
||||||
|
# derivation.
|
||||||
|
rm -f $TEST_ROOT/bad.drv
|
||||||
|
sed -e "s|$badOut|$goodOut|g" < $badDrv > $TEST_ROOT/bad.drv
|
||||||
|
|
||||||
|
# Add the manipulated derivation to the store and build it. This
|
||||||
|
# should fail.
|
||||||
|
if badDrv2=$($nixstore --add $TEST_ROOT/bad.drv); then
|
||||||
|
$nixstore -r "$badDrv2"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Now build the good derivation.
|
||||||
|
goodOut2=$($nixbuild ./secure-drv-outputs.nix -A good)
|
||||||
|
test "$goodOut" = "$goodOut2"
|
||||||
|
|
||||||
|
if ! test -e "$goodOut"/good; then
|
||||||
|
echo "Bad derivation stole the output path of the good derivation!"
|
||||||
|
exit 1
|
||||||
|
fi
|
Loading…
Reference in a new issue