diff options
author | aszlig <aszlig@nix.build> | 2019-04-06 12:51:56 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2019-04-06 12:51:56 +0200 |
commit | 6fe989eaed7d283bbde7a58e42ce36c676870aee (patch) | |
tree | 2b9abf5cfb73bd2ef07fc0fcbbba4f13e6a218a1 /nixos/tests/common | |
parent | f3099279f0c294f8e18f295abe735df31a6a906c (diff) | |
download | nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.tar nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.tar.gz nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.tar.bz2 nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.tar.lz nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.tar.xz nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.tar.zst nixpkgs-6fe989eaed7d283bbde7a58e42ce36c676870aee.zip |
nixos/tests/acme: Use exact match in TOS location
Since the switch to check the nginx config with gixy in 59fac1a6d7e1983a1e7bd518129ff9ef39a013dd, the ACME test doesn't build anymore, because gixy reports the following false-positive (reindented): >> Problem: [alias_traversal] Path traversal via misconfigured alias. Severity: MEDIUM Description: Using alias in a prefixed location that doesn't ends with directory separator could lead to path traversal vulnerability. Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md Pseudo config: server { server_name letsencrypt.org; location /documents/2017.11.15-LE-SA-v1.2.pdf { alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf; } } The reason this is a false-positive is because the destination is not a directory, so something like "/foo.pdf../other.txt" won't work here, because the resulting path would be ".../destfile.pdf../other.txt". Nevertheless it's a good idea to use the exact match operator (=), to not only shut up gixy but also gain a bit of performance in lookup (not that it would matter in our test). Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'nixos/tests/common')
-rw-r--r-- | nixos/tests/common/letsencrypt/default.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/tests/common/letsencrypt/default.nix b/nixos/tests/common/letsencrypt/default.nix index 73aac51a012..8fe59bf4e70 100644 --- a/nixos/tests/common/letsencrypt/default.nix +++ b/nixos/tests/common/letsencrypt/default.nix @@ -381,7 +381,7 @@ in { enableACME = false; sslCertificate = siteCertFile; sslCertificateKey = siteKeyFile; - locations.${tosPath}.extraConfig = "alias ${tosFile};"; + locations."= ${tosPath}".alias = tosFile; }; systemd.services = { |