diff options
| author | nicoo <nicoo@mur.at> | 2023-09-14 16:45:25 +0000 |
|---|---|---|
| committer | nicoo <nicoo@mur.at> | 2023-10-25 23:14:15 +0000 |
| commit | 87c22100a6892b864ff94476f2965a793d8e4282 (patch) | |
| tree | 9aca9f12b053dad5a1ab29139db1bb640ee467f3 /pkgs | |
| parent | c8c3423a38e672dd2fd63e9ccfb372639a63ca27 (diff) | |
| download | nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.gz nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.bz2 nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.lz nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.xz nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.tar.zst nixpkgs-87c22100a6892b864ff94476f2965a793d8e4282.zip | |
stdenv.mkDerivation: Reject MD5 hashes
While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter,
for some inscrutable reason the nix interpreter accepts the following:
```nix
fetchurl {
url = "https://www.perdu.com";
hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}
```
Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
Diffstat (limited to 'pkgs')
| -rw-r--r-- | pkgs/stdenv/generic/make-derivation.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index beba687e788..d235ffefaab 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -165,6 +165,17 @@ let , ... } @ attrs: +# Policy on acceptable hash types in nixpkgs +assert attrs ? outputHash -> ( + let algo = + attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash)); + in + if algo == "md5" then + throw "Rejected insecure ${algo} hash '${attrs.outputHash}'" + else + true +); + let # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when # no package has `doCheck = true`. |