fix(core): use current user when hashing native file & enable setting its directory via env #24326
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
☁️ Nx Cloud ReportCI is running/has finished running commands for commit 93ecc01. As they complete they will appear below. Click to see the status, the terminal output, and the build insights. 📂 See all runs for this CI Pipeline Execution ✅ Successfully ran 6 targets
Sent with 💌 from NxCloud. |
… its directory via env
MaxKless
force-pushed
the
native-cache-tweaks
branch
from
1ff6416
to
b99e5ec
Compare
| .update(userInfo().username) | ||
| .digest('hex') | ||
| .substring(0, 7); | ||
| return join(tmpdir(), `nx-native-file-cache-${shortUserHash}`); |
There was a problem hiding this comment.
Do we need a shortUserHash here as well as in the hash for the child directory?
right now we have...
/tmp/[F(username)]/[F(username, workspaceRoot]
We should be able to have..
/tmp/[F(username, workspaceRoot)] right?
|
because the hash is deterministic and tmp is world-writable and regularly cleaned up, if the client assumes that the node binary is correct, isn't that a security issue? |
|
if you're worried about other users on your system, you can set the location to a folder only you have access to via the new environment variable |
|
It looks like alternately this could be stored in I have this as a transitive dependency that I didn't particularly ask for. Expecting from all users that they realize that they have this dependency, inspect all of its inner workings to realize there is a security issue, and finally set an env variable to mitigate it does not seem like a sound way to handle security issues. |
|
That's a valid point. I'm hesitant to set the directory to something user-scoped because of potentially different permission handling across OS. My biggest priority is avoiding errors when using Nx because copying that file is required and if there is a permission issue, we could cause errors for everyone - not just those with hypothetical malicious other users on the same machine. |
|
This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request. |
Current Behavior
The native file hashing takes only the nx version & workspace path into account.
There is also no way to control the storage location of native
.nodefiles used by nx.Expected Behavior
The native file hashing takes the nx version, workspace path & current username into account, making sure the cache isn't shared between multiple users on the same device.
It's also possible to control the exact location of the native file cache by setting the
NX_NATIVE_FILE_CACHE_DIRECTORYenvironment variable if you need to move it somewhere else.Related Issue(s)
Fixes #