Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

38 lines (28 sloc) 1.073 kb
# Test that users cannot register specially-crafted derivations that
# produce output paths belonging to other derivations. This could be
# used to inject malware into the store.
source common.sh
clearStore
clearManifests
startDaemon
# Determine the output path of the "good" derivation.
goodOut=$(nix-store -q $(nix-instantiate ./secure-drv-outputs.nix -A good))
# Instantiate the "bad" derivation.
badDrv=$(nix-instantiate ./secure-drv-outputs.nix -A bad)
badOut=$(nix-store -q $badDrv)
# Rewrite the bad derivation to produce the output path of the good
# derivation.
rm -f $TEST_ROOT/bad.drv
sed -e "s|$badOut|$goodOut|g" < $badDrv > $TEST_ROOT/bad.drv
# Add the manipulated derivation to the store and build it. This
# should fail.
if badDrv2=$(nix-store --add $TEST_ROOT/bad.drv); then
nix-store -r "$badDrv2"
fi
# Now build the good derivation.
goodOut2=$(nix-build ./secure-drv-outputs.nix -A good)
test "$goodOut" = "$goodOut2"
if ! test -e "$goodOut"/good; then
echo "Bad derivation stole the output path of the good derivation!"
exit 1
fi
Jump to Line
Something went wrong with that request. Please try again.