Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

38 lines (28 sloc) 1.073 kB
# Test that users cannot register specially-crafted derivations that
# produce output paths belonging to other derivations. This could be
# used to inject malware into the store.
source common.sh
clearStore
clearManifests
startDaemon
# Determine the output path of the "good" derivation.
goodOut=$(nix-store -q $(nix-instantiate ./secure-drv-outputs.nix -A good))
# Instantiate the "bad" derivation.
badDrv=$(nix-instantiate ./secure-drv-outputs.nix -A bad)
badOut=$(nix-store -q $badDrv)
# Rewrite the bad derivation to produce the output path of the good
# derivation.
rm -f $TEST_ROOT/bad.drv
sed -e "s|$badOut|$goodOut|g" < $badDrv > $TEST_ROOT/bad.drv
# Add the manipulated derivation to the store and build it. This
# should fail.
if badDrv2=$(nix-store --add $TEST_ROOT/bad.drv); then
nix-store -r "$badDrv2"
fi
# Now build the good derivation.
goodOut2=$(nix-build ./secure-drv-outputs.nix -A good)
test "$goodOut" = "$goodOut2"
if ! test -e "$goodOut"/good; then
echo "Bad derivation stole the output path of the good derivation!"
exit 1
fi
Jump to Line
Something went wrong with that request. Please try again.