lix/src/libexpr
aszlig 43e28a1b75
Fix symlink leak in restricted eval mode
In EvalState::checkSourcePath, the path is checked against the list of
allowed paths first and later it's checked again *after* resolving
symlinks.

The resolving of the symlinks is done via canonPath, which also strips
out "../" and "./". However after the canonicalisation the error message
pointing out that the path is not allowed prints the symlink target in
the error message.

Even if we'd suppress the message, symlink targets could still be leaked
if the symlink target doesn't exist (in this case the error is thrown in
canonPath).

So instead, we now do canonPath() without symlink resolving first before
even checking against the list of allowed paths and then later do the
symlink resolving and checking the allowed paths again.

The first call to canonPath() should get rid of all the "../" and "./",
so in theory the only way to leak a symlink if the attacker is able to
put a symlink in one of the paths allowed by restricted evaluation mode.

For the latter I don't think this is part of the threat model, because
if the attacker can write to that path, the attack vector is even
larger.

Signed-off-by: aszlig <aszlig@nix.build>
2018-08-03 06:46:43 +02:00
..
primops Include cpptoml for build simplicity 2018-07-03 18:39:36 +02:00
attr-path.cc Replace Unicode quotes in user-facing strings by ASCII 2017-07-30 12:32:45 +01:00
attr-path.hh Work on Values instead of Exprs 2013-09-03 13:17:51 +00:00
attr-set.cc Remove duplicate definition of allocBytes() 2018-06-12 17:49:51 +02:00
attr-set.hh libexpr: Don't create lots of temporary strings in Bindings::lexicographicOrder 2018-02-19 22:47:25 +02:00
common-eval-args.cc nix: Respect -I, --arg, --argstr 2017-10-24 12:58:34 +02:00
common-eval-args.hh Fix build 2017-11-01 21:32:30 +01:00
eval-inline.hh GC_malloc -> GC_MALLOC 2018-06-12 17:49:55 +02:00
eval.cc Fix symlink leak in restricted eval mode 2018-08-03 06:46:43 +02:00
eval.hh Add temporary stats 2018-06-12 17:49:55 +02:00
get-drvs.cc nix-shell/nix-build: Support .drv files again 2017-11-24 18:08:35 +01:00
get-drvs.hh nix-shell/nix-build: Support .drv files again 2017-11-24 18:08:35 +01:00
json-to-value.cc json-to-value: Use strtol instead of strtoi 2018-05-26 18:43:46 -04:00
json-to-value.hh Add builtin function ‘fromJSON’ 2014-07-04 13:34:15 +02:00
lexer.l Don't return negative numbers from the flex tokenizer 2018-05-11 12:05:12 +02:00
local.mk Shut up some warnings 2017-04-14 14:42:20 +02:00
names.cc Add splitVersion primop. 2018-02-14 09:55:43 -05:00
names.hh Add splitVersion primop. 2018-02-14 09:55:43 -05:00
nix-expr.pc.in Export required C++ version in pkgconfig. 2018-04-09 11:32:43 -04:00
nixexpr.cc Fix compatibility with latest boost::format 2018-03-14 19:25:09 +01:00
nixexpr.hh Revert "Throw a specific error for incomplete parse errors." 2018-05-11 11:40:50 +02:00
parser.y add `mod' and bitwise builtins: remove infix functions 2018-05-16 06:55:24 +00:00
primops.cc prim_concatMap: no need to force value 2018-07-05 15:33:33 +00:00
primops.hh Make prim_exec and prim_importNative available to plugins 2018-04-09 10:26:50 -04:00
symbol-table.hh Fix some random -Wconversion warnings 2018-05-02 13:56:34 +02:00
value-to-json.cc nix path-info: Add --json flag 2016-08-29 17:29:24 +02:00
value-to-json.hh nix path-info: Add --json flag 2016-08-29 17:29:24 +02:00
value-to-xml.cc First hit at providing support for floats in the language. 2016-01-05 00:40:40 +01:00
value-to-xml.hh Use "#pragma once" to prevent repeated header file inclusion 2012-07-18 14:59:03 -04:00
value.hh Store floating point numbers in double precision 2018-07-03 18:39:32 +02:00