Security: Ensure that a build product refers to the Nix store
This commit is contained in:
parent
10882a1ffd
commit
cd83b8e3aa
|
@ -6,6 +6,7 @@ use XML::Simple;
|
||||||
use POSIX qw(strftime);
|
use POSIX qw(strftime);
|
||||||
use IPC::Run;
|
use IPC::Run;
|
||||||
use Nix::Store;
|
use Nix::Store;
|
||||||
|
use Nix::Config;
|
||||||
use Hydra::Model::DB;
|
use Hydra::Model::DB;
|
||||||
use Hydra::Helper::Nix;
|
use Hydra::Helper::Nix;
|
||||||
use Digest::SHA qw(sha256_hex);
|
use Digest::SHA qw(sha256_hex);
|
||||||
|
@ -13,6 +14,7 @@ use File::Basename;
|
||||||
use File::stat;
|
use File::stat;
|
||||||
use File::Path;
|
use File::Path;
|
||||||
use File::Temp;
|
use File::Temp;
|
||||||
|
use File::Spec;
|
||||||
use File::Slurp;
|
use File::Slurp;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
|
@ -768,6 +770,7 @@ sub addBuildProducts {
|
||||||
|
|
||||||
my $productnr = 1;
|
my $productnr = 1;
|
||||||
my $explicitProducts = 0;
|
my $explicitProducts = 0;
|
||||||
|
my $storeDir = $Nix::Config::storeDir . "/";
|
||||||
|
|
||||||
foreach my $output ($build->buildoutputs->all) {
|
foreach my $output ($build->buildoutputs->all) {
|
||||||
my $outPath = $output->path;
|
my $outPath = $output->path;
|
||||||
|
@ -779,9 +782,17 @@ sub addBuildProducts {
|
||||||
/^([\w\-]+)\s+([\w\-]+)\s+(\S+)(\s+(\S+))?$/ or next;
|
/^([\w\-]+)\s+([\w\-]+)\s+(\S+)(\s+(\S+))?$/ or next;
|
||||||
my $type = $1;
|
my $type = $1;
|
||||||
my $subtype = $2 eq "none" ? "" : $2;
|
my $subtype = $2 eq "none" ? "" : $2;
|
||||||
my $path = $3;
|
my $path = File::Spec->canonpath($3);
|
||||||
my $defaultPath = $5;
|
my $defaultPath = $5;
|
||||||
|
|
||||||
|
# Ensure that the path exists and points into the Nix store.
|
||||||
|
next unless File::Spec->file_name_is_absolute($path);
|
||||||
|
next if $path =~ /\/\.\./; # don't go up
|
||||||
next unless -e $path;
|
next unless -e $path;
|
||||||
|
next unless substr($path, 0, length($storeDir)) eq $storeDir;
|
||||||
|
|
||||||
|
# FIXME: check that the path is in the input closure
|
||||||
|
# of the build?
|
||||||
|
|
||||||
my $fileSize, my $sha1, my $sha256;
|
my $fileSize, my $sha1, my $sha256;
|
||||||
|
|
||||||
|
@ -1036,8 +1047,11 @@ sub restartBuild {
|
||||||
, timestamp => time
|
, timestamp => time
|
||||||
, busy => 0
|
, busy => 0
|
||||||
, locker => ""
|
, locker => ""
|
||||||
|
, iscachedbuild => 0
|
||||||
});
|
});
|
||||||
|
|
||||||
|
$build->buildproducts->delete_all;
|
||||||
|
|
||||||
# Reset the stats for the evals to which this build belongs.
|
# Reset the stats for the evals to which this build belongs.
|
||||||
# !!! Should do this in a trigger.
|
# !!! Should do this in a trigger.
|
||||||
foreach my $m ($build->jobsetevalmembers->all) {
|
foreach my $m ($build->jobsetevalmembers->all) {
|
||||||
|
|
Loading…
Reference in a new issue