From 87c22100a6892b864ff94476f2965a793d8e4282 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Thu, 14 Sep 2023 16:45:25 +0000
Subject: stdenv.mkDerivation: Reject MD5 hashes

While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter,
for some inscrutable reason the nix interpreter accepts the following:
```nix
fetchurl {
  url = "https://www.perdu.com";
  hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}
```

Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
---
 pkgs/stdenv/generic/make-derivation.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'pkgs/stdenv/generic')

diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index beba687e788..d235ffefaab 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -165,6 +165,17 @@ let
 
 , ... } @ attrs:
 
+# Policy on acceptable hash types in nixpkgs
+assert attrs ? outputHash -> (
+  let algo =
+    attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));
+  in
+  if algo == "md5" then
+    throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"
+  else
+    true
+);
+
 let
   # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when
   # no package has `doCheck = true`.
-- 
cgit 1.4.1