Security: Ensure that a build product refers to the Nix store

[?]
Feb 13, 2013, 5:26 PM
YDVFPMKPTZAZTF37O3V3CCMRIZHUMD6QNB6A775ZCKFTCHWRHVZQC

Dependencies

  • [2] PMNWRTGJ Add multiple output support
  • [3] FM4O2L4M hydra: if evaluator sees cached build, also add the buildproducts
  • [*] OOQ2D3KC * Refactoring: move fetchInput out of hydra_scheduler into a separate
  • [*] 7DWCXNC7 Use the new Nix Perl bindings
  • [*] TJK27WSB Open the DB using Hydra::Model::DB->new
  • [*] ARD6Z67T Do incremental SVN checkouts
  • [*] OSVLMLCQ hydra: factored out build restart and
  • [*] CQTN62OH Die tabs die
  • [*] 2UZJG6XT Clear nrSucceeded when restarting a build

Change contents

  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 9
    [6.143]
    [7.0]
    use Nix::Config;
  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 17
    [8.16]
    [2.4482]
    use File::Spec;
  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 773
    [2.5152]
    [3.110]
    my $storeDir = $Nix::Config::storeDir . "/";
  • replacement in src/lib/Hydra/Helper/AddBuilds.pm at line 785
    [2.5600][2.5600:5631]()
    my $path = $3;
    [2.5600]
    [2.5631]
    my $path = File::Spec->canonpath($3);
  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 787
    [2.5669]
    [2.5669]
    # Ensure that the path exists and points into the Nix store.
    next unless File::Spec->file_name_is_absolute($path);
    next if $path =~ /\/\.\./; # don't go up
  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 792
    [2.5707]
    [3.567]
    next unless substr($path, 0, length($storeDir)) eq $storeDir;
    # FIXME: check that the path is in the input closure
    # of the build?
  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 1050
    [9.964]
    [10.4777]
    , iscachedbuild => 0
  • edit in src/lib/Hydra/Helper/AddBuilds.pm at line 1052
    [10.4793]
    [11.85]
    $build->buildproducts->delete_all;