mirror of
https://github.com/NixOS/nix.git
synced 2024-11-25 08:12:29 +00:00
Merge pull request #11647 from NixOS/mergify/bp/2.22-maintenance/pr-11610
fix passing CA files into builtins:fetchurl sandbox (backport #11610)
This commit is contained in:
commit
bec7d95de0
@ -9,7 +9,8 @@ namespace nix {
|
|||||||
void builtinFetchurl(
|
void builtinFetchurl(
|
||||||
const BasicDerivation & drv,
|
const BasicDerivation & drv,
|
||||||
const std::map<std::string, Path> & outputs,
|
const std::map<std::string, Path> & outputs,
|
||||||
const std::string & netrcData);
|
const std::string & netrcData,
|
||||||
|
const std::string & caFileData);
|
||||||
|
|
||||||
void builtinUnpackChannel(
|
void builtinUnpackChannel(
|
||||||
const BasicDerivation & drv,
|
const BasicDerivation & drv,
|
||||||
|
@ -1740,13 +1740,20 @@ void LocalDerivationGoal::runChild()
|
|||||||
|
|
||||||
bool setUser = true;
|
bool setUser = true;
|
||||||
|
|
||||||
/* Make the contents of netrc available to builtin:fetchurl
|
/* Make the contents of netrc and the CA certificate bundle
|
||||||
(which may run under a different uid and/or in a sandbox). */
|
available to builtin:fetchurl (which may run under a
|
||||||
|
different uid and/or in a sandbox). */
|
||||||
std::string netrcData;
|
std::string netrcData;
|
||||||
try {
|
std::string caFileData;
|
||||||
if (drv->isBuiltin() && drv->builder == "builtin:fetchurl")
|
if (drv->isBuiltin() && drv->builder == "builtin:fetchurl") {
|
||||||
netrcData = readFile(settings.netrcFile);
|
try {
|
||||||
} catch (SystemError &) { }
|
netrcData = readFile(settings.netrcFile);
|
||||||
|
} catch (SystemError &) { }
|
||||||
|
|
||||||
|
try {
|
||||||
|
caFileData = readFile(settings.caFile);
|
||||||
|
} catch (SystemError &) { }
|
||||||
|
}
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
@ -2185,7 +2192,7 @@ void LocalDerivationGoal::runChild()
|
|||||||
worker.store.printStorePath(scratchOutputs.at(e.first)));
|
worker.store.printStorePath(scratchOutputs.at(e.first)));
|
||||||
|
|
||||||
if (drv->builder == "builtin:fetchurl")
|
if (drv->builder == "builtin:fetchurl")
|
||||||
builtinFetchurl(*drv, outputs, netrcData);
|
builtinFetchurl(*drv, outputs, netrcData, caFileData);
|
||||||
else if (drv->builder == "builtin:buildenv")
|
else if (drv->builder == "builtin:buildenv")
|
||||||
builtinBuildenv(*drv, outputs);
|
builtinBuildenv(*drv, outputs);
|
||||||
else if (drv->builder == "builtin:unpack-channel")
|
else if (drv->builder == "builtin:unpack-channel")
|
||||||
|
@ -9,7 +9,8 @@ namespace nix {
|
|||||||
void builtinFetchurl(
|
void builtinFetchurl(
|
||||||
const BasicDerivation & drv,
|
const BasicDerivation & drv,
|
||||||
const std::map<std::string, Path> & outputs,
|
const std::map<std::string, Path> & outputs,
|
||||||
const std::string & netrcData)
|
const std::string & netrcData,
|
||||||
|
const std::string & caFileData)
|
||||||
{
|
{
|
||||||
/* Make the host's netrc data available. Too bad curl requires
|
/* Make the host's netrc data available. Too bad curl requires
|
||||||
this to be stored in a file. It would be nice if we could just
|
this to be stored in a file. It would be nice if we could just
|
||||||
@ -19,6 +20,9 @@ void builtinFetchurl(
|
|||||||
writeFile(settings.netrcFile, netrcData, 0600);
|
writeFile(settings.netrcFile, netrcData, 0600);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
settings.caFile = "ca-certificates.crt";
|
||||||
|
writeFile(settings.caFile, caFileData, 0600);
|
||||||
|
|
||||||
auto out = get(drv.outputs, "out");
|
auto out = get(drv.outputs, "out");
|
||||||
if (!out)
|
if (!out)
|
||||||
throw Error("'builtin:fetchurl' requires an 'out' output");
|
throw Error("'builtin:fetchurl' requires an 'out' output");
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
# Test whether builtin:fetchurl properly performs TLS certificate
|
# Test whether builtin:fetchurl properly performs TLS certificate
|
||||||
# checks on HTTPS servers.
|
# checks on HTTPS servers.
|
||||||
|
|
||||||
{ lib, config, pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ in
|
|||||||
name = "nss-preload";
|
name = "nss-preload";
|
||||||
|
|
||||||
nodes = {
|
nodes = {
|
||||||
machine = { lib, pkgs, ... }: {
|
machine = { pkgs, ... }: {
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
@ -60,13 +60,16 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = { nodes, ... }: ''
|
testScript = ''
|
||||||
machine.wait_for_unit("nginx")
|
machine.wait_for_unit("nginx")
|
||||||
machine.wait_for_open_port(443)
|
machine.wait_for_open_port(443)
|
||||||
|
|
||||||
out = machine.succeed("curl https://good/index.html")
|
out = machine.succeed("curl https://good/index.html")
|
||||||
assert out == "hello world\n"
|
assert out == "hello world\n"
|
||||||
|
|
||||||
|
out = machine.succeed("cat ${badCert}/cert.pem > /tmp/cafile.pem; curl --cacert /tmp/cafile.pem https://bad/index.html")
|
||||||
|
assert out == "foobar\n"
|
||||||
|
|
||||||
# Fetching from a server with a trusted cert should work.
|
# Fetching from a server with a trusted cert should work.
|
||||||
machine.succeed("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://good/index.html\"; hash = \"sha256-qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A+4XSmaGSpEc=\"; }'")
|
machine.succeed("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://good/index.html\"; hash = \"sha256-qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A+4XSmaGSpEc=\"; }'")
|
||||||
|
|
||||||
@ -74,5 +77,8 @@ in
|
|||||||
err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
|
err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
|
||||||
print(err)
|
print(err)
|
||||||
assert "SSL certificate problem: self-signed certificate" in err
|
assert "SSL certificate problem: self-signed certificate" in err
|
||||||
|
|
||||||
|
# Fetching from a server with a trusted cert should work via environment variable override.
|
||||||
|
machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user