forked from lix-project/hydra
Security: Ensure that a build product refers to the Nix store
This commit is contained in:
parent
10882a1ffd
commit
cd83b8e3aa
1 changed files with 15 additions and 1 deletions
|
@ -6,6 +6,7 @@ use XML::Simple;
|
|||
use POSIX qw(strftime);
|
||||
use IPC::Run;
|
||||
use Nix::Store;
|
||||
use Nix::Config;
|
||||
use Hydra::Model::DB;
|
||||
use Hydra::Helper::Nix;
|
||||
use Digest::SHA qw(sha256_hex);
|
||||
|
@ -13,6 +14,7 @@ use File::Basename;
|
|||
use File::stat;
|
||||
use File::Path;
|
||||
use File::Temp;
|
||||
use File::Spec;
|
||||
use File::Slurp;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
|
@ -768,6 +770,7 @@ sub addBuildProducts {
|
|||
|
||||
my $productnr = 1;
|
||||
my $explicitProducts = 0;
|
||||
my $storeDir = $Nix::Config::storeDir . "/";
|
||||
|
||||
foreach my $output ($build->buildoutputs->all) {
|
||||
my $outPath = $output->path;
|
||||
|
@ -779,9 +782,17 @@ sub addBuildProducts {
|
|||
/^([\w\-]+)\s+([\w\-]+)\s+(\S+)(\s+(\S+))?$/ or next;
|
||||
my $type = $1;
|
||||
my $subtype = $2 eq "none" ? "" : $2;
|
||||
my $path = $3;
|
||||
my $path = File::Spec->canonpath($3);
|
||||
my $defaultPath = $5;
|
||||
|
||||
# Ensure that the path exists and points into the Nix store.
|
||||
next unless File::Spec->file_name_is_absolute($path);
|
||||
next if $path =~ /\/\.\./; # don't go up
|
||||
next unless -e $path;
|
||||
next unless substr($path, 0, length($storeDir)) eq $storeDir;
|
||||
|
||||
# FIXME: check that the path is in the input closure
|
||||
# of the build?
|
||||
|
||||
my $fileSize, my $sha1, my $sha256;
|
||||
|
||||
|
@ -1036,8 +1047,11 @@ sub restartBuild {
|
|||
, timestamp => time
|
||||
, busy => 0
|
||||
, locker => ""
|
||||
, iscachedbuild => 0
|
||||
});
|
||||
|
||||
$build->buildproducts->delete_all;
|
||||
|
||||
# Reset the stats for the evals to which this build belongs.
|
||||
# !!! Should do this in a trigger.
|
||||
foreach my $m ($build->jobsetevalmembers->all) {
|
||||
|
|
Loading…
Reference in a new issue