-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fetchurl
not check certificate: possible address malicious redirects
#5837
Comments
There are a lot of update scripts, which update sha256 with |
nix-prefetch-url checks the ssl certificate, fetchurl does not.
|
This is not a problem in nix. The root cause lays in fetchurl which only sets the path to the certificates if the hash is empty https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchurl/default.nix#L142 . This is always the case except when generating the hash for the first time and setting the output hash to empty which does not even work with all functions. In practice it is never checked. This is not easily fixable because cacert uses buildcatrust https://github.com/NixOS/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L5 which means we would need to bootstrap the entirety of python without cacert. |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/question-about-fetchers-and-tls/18243/1 |
@SuperSandro2000 as mentioned on discourse, it not being a problem is not wrong, but also not entirely true either. An insecure hash can be abused by a particularly crafty adversary here, and there are at least a few packages that use sha1 in nixpkgs (apparently anything using yarn/npm): https://github.com/NixOS/nixpkgs/search?q=sha1&type= I still think the risk is quite low, but it does exist. Maybe insecure checksums should be deprecated? |
@SuperSandro2000 It looks like fetchurl allows the |
Describe the bug
For now,
fetchurl
not check certificate and can make malicious redirects.Like I faced just now, when nix tried to download package source from URL blocked in my country, and there are fully accessible second one.
More details in NixOS/nixpkgs#152281
Steps To Reproduce
Known for me:
nixpkgs
.tor-browser-bundle-bin
Expected behavior
Nix find out certificate replacement and try to download from next available src source.
nix-env --version
outputAdditional context
Possibly related #4173
The text was updated successfully, but these errors were encountered: