Security: Improve checking of build products
[?]
Apr 2, 2013, 9:32 PM
6ZB4CIW66KZMCEBTUWTRRNKQAV5WVPYX4QLFAJT5TTJ3CMS4JMXQCDependencies
- [2]
IJSJLRZHDisallow build products that are symlinks - [3]
HTL6HIBMmachine-status: Read /etc/nix.machines instead of using the BuildMachines table - [4]
PY5GVGC7Implemented quoted strings support in hydra-build-products to allow file names with spaces + testcase - [5]
FM4O2L4Mhydra: if evaluator sees cached build, also add the buildproducts - [6]
PMNWRTGJAdd multiple output support - [7]
VYGMJ33O* Catalyst now escapes slashes to %2f, which broke defaultUriForProduct. - [8]
7UHHF564Security: Also check paths in the web server - [9]
VH5ZABDRAdd a page to show the latest evaluations for the entire server - [10]
LBNVQXUB* Build the /build stuff in a separate controller. - [11]
NUIKDEHL* A quick hack to list the contents of various types of files (RPM, - [12]
BDSD2JLV* Speed up manifest generation. - [13]
GJFYEU3S* Nix now stores logs by default as bzip2, make sure the build page uncompresses before showing. - [14]
XJFHFZCA* Provide some redirects to build products by type so that we can for - [15]
YDVFPMKPSecurity: Ensure that a build product refers to the Nix store - [*]
OOQ2D3KC* Refactoring: move fetchInput out of hydra_scheduler into a separate - [*]
2GK5DOU7* Downloading closures.
Change contents
- replacement in src/lib/Hydra/Controller/Build.pm at line 173
my $storeDir = $Nix::Config::storeDir . "/";error($c, "Invalid path in build product.")if substr($path, 0, length($storeDir)) ne $storeDir || $path =~ /\/\.\./;error($c, "Path ‘$path’ is a symbolic link.") if -l $path;my $path = pathIsInsidePrefix($path, $Nix::Config::storeDir);error($c, "Build product refers outside of the Nix store.") unless defined $path;return $path; - replacement in src/lib/Hydra/Controller/Build.pm at line 205
checkPath($self, $c, $path);$path = checkPath($self, $c, $path); - replacement in src/lib/Hydra/Controller/Build.pm at line 249
checkPath($self, $c, $path);$path = checkPath($self, $c, $path); - replacement in src/lib/Hydra/Helper/AddBuilds.pm at line 788
my $path = File::Spec->canonpath((substr $3, 0, 1) eq "\"" ? substr $3, 1, -1 : $3);my $path = substr($3, 0, 1) eq "\"" ? substr($3, 1, -1) : $3; - replacement in src/lib/Hydra/Helper/AddBuilds.pm at line 793
next if $path =~ /\/\.\./; # don't go upnext unless substr($path, 0, length($storeDir)) eq $storeDir;$path = pathIsInsidePrefix($path, $Nix::Config::storeDir);next unless defined $path; - edit in src/lib/Hydra/Helper/AddBuilds.pm at line 796
next if -l $path; - replacement in src/lib/Hydra/Helper/Nix.pm at line 19
getEvals getMachines);getEvals getMachinespathIsInsidePrefix); - edit in src/lib/Hydra/Helper/Nix.pm at line 403
}# Check whether ‘$path’ is inside ‘$prefix’. In particular, it checks# that resolving symlink components of ‘$path’ never takes us outside# of ‘$prefix’. We use this to check that Nix build products don't# refer to things outside of the Nix store (e.g. /etc/passwd) or to# symlinks outside of the store that point into the store# (e.g. /run/current-system). Return undef or the resolved path.sub pathIsInsidePrefix {my ($path, $prefix) = @_;my $n = 0;$path =~ s/\/+/\//g; # remove redundant slashes$path =~ s/\/*$//; # remove trailing slashesreturn undef unless $path eq $prefix || substr($path, 0, length($prefix) + 1) eq "$prefix/";my @cs = File::Spec->splitdir(substr($path, length($prefix) + 1));my $cur = $prefix;foreach my $c (@cs) {next if $c eq ".";# ‘..’ should not take us outside of the prefix.if ($c eq "..") {return if length($cur) <= length($prefix);$cur =~ s/\/[^\/]*$// or die; # remove last componentnext;}my $new = "$cur/$c";if (-l $new) {my $link = readlink $new or return undef;$new = substr($link, 0, 1) eq "/" ? $link : "$cur/$link";$new = pathIsInsidePrefix($new, $prefix);return undef unless defined $new;}$cur = $new;}return $cur;