From cd83b8e3aa6273410fc89bf2ec499d0298b7c0d1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 13 Feb 2013 18:26:00 +0100 Subject: [PATCH] Security: Ensure that a build product refers to the Nix store --- src/lib/Hydra/Helper/AddBuilds.pm | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/lib/Hydra/Helper/AddBuilds.pm b/src/lib/Hydra/Helper/AddBuilds.pm index b274f21c..63a6d7a0 100644 --- a/src/lib/Hydra/Helper/AddBuilds.pm +++ b/src/lib/Hydra/Helper/AddBuilds.pm @@ -6,6 +6,7 @@ use XML::Simple; use POSIX qw(strftime); use IPC::Run; use Nix::Store; +use Nix::Config; use Hydra::Model::DB; use Hydra::Helper::Nix; use Digest::SHA qw(sha256_hex); @@ -13,6 +14,7 @@ use File::Basename; use File::stat; use File::Path; use File::Temp; +use File::Spec; use File::Slurp; our @ISA = qw(Exporter); @@ -768,6 +770,7 @@ sub addBuildProducts { my $productnr = 1; my $explicitProducts = 0; + my $storeDir = $Nix::Config::storeDir . "/"; foreach my $output ($build->buildoutputs->all) { my $outPath = $output->path; @@ -779,9 +782,17 @@ sub addBuildProducts { /^([\w\-]+)\s+([\w\-]+)\s+(\S+)(\s+(\S+))?$/ or next; my $type = $1; my $subtype = $2 eq "none" ? "" : $2; - my $path = $3; + my $path = File::Spec->canonpath($3); my $defaultPath = $5; + + # Ensure that the path exists and points into the Nix store. + next unless File::Spec->file_name_is_absolute($path); + next if $path =~ /\/\.\./; # don't go up next unless -e $path; + next unless substr($path, 0, length($storeDir)) eq $storeDir; + + # FIXME: check that the path is in the input closure + # of the build? my $fileSize, my $sha1, my $sha256; @@ -1036,8 +1047,11 @@ sub restartBuild { , timestamp => time , busy => 0 , locker => "" + , iscachedbuild => 0 }); + $build->buildproducts->delete_all; + # Reset the stats for the evals to which this build belongs. # !!! Should do this in a trigger. foreach my $m ($build->jobsetevalmembers->all) {