fetchurl not check certificate: possible address malicious redirects

[psydvl]

Describe the bug

For now, fetchurl not check certificate and can make malicious redirects.
Like I faced just now, when nix tried to download package source from URL blocked in my country, and there are fully accessible second one.

More details in NixOS/nixpkgs#152281

Steps To Reproduce
Known for me:

1. Move to Russia(?), or launch VPN to Russia, or create some DNS rule(?)
2. Try to install nixpkgs.tor-browser-bundle-bin

Expected behavior

Nix find out certificate replacement and try to download from next available src source.

nix-env --version output

$ nix-env --version
nix-env (Nix) 2.4
$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.3-zen1, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4`
 - channels(root): `"nixos-21.11.334797.6979c0e49bb, nixos-unstable-22.05pre340469.cb372c3b888"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos

Additional context
Possibly related #4173

[psydvl]

There are a lot of update scripts, which update sha256 with nix-prefetch-url:
Like this one:
https://github.com/NixOS/nixpkgs/blob/8a54f4c0bbef28976f69347c458ce74ed98e0234/pkgs/applications/networking/cluster/terraform-providers/update-provider#L140

[SuperSandro2000]

nix-prefetch-url checks the ssl certificate, fetchurl does not.

$ nix-prefetch-url https://untrusted-root.badssl.com/
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 345 ms
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 528 ms
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 1051 ms
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 2680 ms
error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60)

[SuperSandro2000]

This is not a problem in nix. The root cause lays in fetchurl which only sets the path to the certificates if the hash is empty https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchurl/default.nix#L142 . This is always the case except when generating the hash for the first time and setting the output hash to empty which does not even work with all functions. In practice it is never checked. This is not easily fixable because cacert uses buildcatrust https://github.com/NixOS/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L5 which means we would need to bootstrap the entirety of python without cacert.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/question-about-fetchers-and-tls/18243/1

[TLATER]

@SuperSandro2000 as mentioned on discourse, it not being a problem is not wrong, but also not entirely true either. An insecure hash can be abused by a particularly crafty adversary here, and there are at least a few packages that use sha1 in nixpkgs (apparently anything using yarn/npm): https://github.com/NixOS/nixpkgs/search?q=sha1&type=

I still think the risk is quite low, but it does exist. Maybe insecure checksums should be deprecated?

[timbertson]

This is not easily fixable because cacert uses buildcatrust https://github.com/NixOS/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L5 which means we would need to bootstrap the entirety of python without cacert.

@SuperSandro2000 It looks like fetchurl allows the cacert dependency to be null. Could the branching logic be that we use --insecure when cacert == null? Then the bootstrapping issue could be resolved by passing cacert = null in the one relevant place (buildcatrust?), but everywhere else it's the real cacert, and performs certificate checking.