[Nix#8982] Nix accepts invalid SRI hashes (MD5 and SHA-1) #114

Open
opened 2024-03-16 06:44:58 +00:00 by lix-bot · 1 comment
Member

Upstream-Issue: NixOS/nix#8982

Describe the bug

Nix accepts outputHash values that resemble the SRI hash format but use invalid hash-algo values, such as md5 or sha1. (hash-algo refering to the term in the SRI grammar)

Steps To Reproduce

Evaluate the following expressions:

fetchurl {
  url = "https://www.perdu.com";
  hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}

Expected behavior

Nix should error out, probably with something like « 'md5' is not an SRI hash algorithm. »

nix-env --version output

nix-env (Nix) 2.17.0

Additional context

  • The SRI hash format's specification refers to “CSP Level 2” for the definition of hash-algo and base64-value, as used in its grammar. In turn, the CSP spec defines hash-algo to be one of sha256, sha384 or sha512.
  • Furthermore, the SRI spec explicitly disallows MD5 and SHA-1:

User agents SHOULD refuse to support known-weak hashing functions like MD5 or SHA-1 and SHOULD restrict supported hashing functions to those known to be collision-resistant.

Priorities

Add 👍 to issues you find important.

Upstream-Issue: https://git.lix.systems/NixOS/nix/issues/8982 ## Describe the bug Nix accepts `outputHash` values that resemble the [SRI hash format] but use invalid `hash-algo` values, such as `md5` or `sha1`. (`hash-algo` refering to the term in the SRI grammar) [SRI hash format]: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute ## Steps To Reproduce Evaluate the following expressions: ```nix fetchurl { url = "https://www.perdu.com"; hash = "md5-rrdBU2a35b2PM2ZO+n/zGw=="; } ``` ## Expected behavior Nix should error out, probably with something like « 'md5' is not an SRI hash algorithm. » ## `nix-env --version` output nix-env (Nix) 2.17.0 ## Additional context - The [SRI hash format]'s specification refers to “CSP Level 2” for the definition of `hash-algo` and `base64-value`, as used in its grammar. In turn, the [CSP spec] defines `hash-algo` to be one of `sha256`, `sha384` or `sha512`. - Furthermore, the SRI spec [explicitly disallows] MD5 and SHA-1: >User agents SHOULD refuse to support known-weak hashing functions like MD5 or SHA-1 and SHOULD restrict supported hashing functions to those known to be collision-resistant. [CSP spec]: https://www.w3.org/TR/CSP2/#source-list-valid-hashes [explicitly disallows]: https://w3c.github.io/webappsec-subresource-integrity/#hash-functions ## Priorities Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).
lix-bot added the
bug
imported
labels 2024-03-16 06:44:58 +00:00
jade added the
E/easy
E/help wanted
labels 2024-03-18 16:21:47 +00:00
Owner

We don't think these have any usage, even though they are in principle accepted. Nixpkgs rejects them, for instance: 1cabb1c445/pkgs/test/stdenv/default.nix (L145-L152)

We don't think these have any usage, even though they are in principle accepted. Nixpkgs rejects them, for instance: https://github.com/nixos/nixpkgs/blob/1cabb1c445f8d535f66fa949362b973832f2ea2f/pkgs/test/stdenv/default.nix#L145-L152
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#114
No description provided.