raito/hydra
0
0
Fork 0
forked from lix-project/hydra
Code Pull requests Activity

Disallow build products that are symlinks

Browse source 
Otherwise you can do

  ln -s /etc/passwd $out/foo
  echo "file misc $out/foo" >> $out/nix-support/hydra-build-products

and get Hydra to serve its /etc/passwd file.
This commit is contained in:
Eelco Dolstra 2013-02-23 16:28:44 +01:00
parent aa7ddeb8e9
commit 6658419f69
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/lib/Hydra/Controller/Build.pm
View file

@ -173,6 +173,7 @@ sub checkPath {
my $storeDir = $Nix::Config::storeDir . "/"; my $storeDir = $Nix::Config::storeDir . "/";
error($c, "Invalid path in build product.") error($c, "Invalid path in build product.")
if substr($path, 0, length($storeDir)) ne $storeDir || $path =~ /\/\.\./; if substr($path, 0, length($storeDir)) ne $storeDir || $path =~ /\/\.\./;
error($c, "Path $path is a symbolic link.") if -l $path;
} }

5
src/lib/Hydra/Helper/AddBuilds.pm
View file

@ -788,16 +788,15 @@ sub addBuildProducts {
# Ensure that the path exists and points into the Nix store. # Ensure that the path exists and points into the Nix store.
next unless File::Spec->file_name_is_absolute($path); next unless File::Spec->file_name_is_absolute($path);
next if $path =~ /\/\.\./; # don't go up next if $path =~ /\/\.\./; # don't go up
next unless -e $path;
next unless substr($path, 0, length($storeDir)) eq $storeDir; next unless substr($path, 0, length($storeDir)) eq $storeDir;
next unless -e $path;
next if -l $path;
# FIXME: check that the path is in the input closure # FIXME: check that the path is in the input closure
# of the build? # of the build?
my $fileSize, my $sha1, my $sha256; my $fileSize, my $sha1, my $sha256;
# !!! validate $path, $defaultPath
if (-f $path) { if (-f $path) {
my $st = stat($path) or die "cannot stat $path: $!"; my $st = stat($path) or die "cannot stat $path: $!";
$fileSize = $st->size; $fileSize = $st->size;