Check the CA hash when importing stuff in the local store

When adding a path to the local store (via `LocalStore::addToStore`), ensure that the `ca` field of the provided `ValidPathInfo` does indeed correspond to the content of the path. Otherwise any untrusted user (or any binary cache) can add arbitrary content-addressed paths to the store (as content-addressed paths don’t need a signature).
2025-07-08 06:53:54 +02:00 · 2021-05-27 13:25:25 +02:00 · 2021-05-27 13:25:25 +02:00 · 3dbd83b9a1
commit 3dbd83b9a1
parent 5713ff48c3
4 changed files with 97 additions and 2 deletions
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@ -1029,6 +1029,40 @@ void LocalStore::addToStore(const ValidPathInfo & info, Source & source,
                throw Error("size mismatch importing path '%s';\n  wanted: %s\n  got:   %s",
                    info.path, info.narSize, hashResult.second);
            if (!info.ca.empty()) {
                auto ca = info.ca;
                if (hasPrefix(ca, "fixed:")) {
                    bool recursive = ca.compare(6, 2, "r:") == 0;
                    Hash expectedHash(std::string(ca, recursive ? 8 : 6));
                    if (info.references.empty()) {
                        auto actualFoHash = hashCAPath(
                                recursive,
                                expectedHash.type,
                                info.path
                                );
                        if (ca != actualFoHash) {
                            throw Error("ca hash mismatch importing path '%s';\n  specified: %s\n  got:       %s",
                                    info.path,
                                    ca,
                                    actualFoHash);
                        }
                    } else {
                        throw Error("path '%s' claims to be content-addressed, but has references. This isn’t allowed",
                                info.path);
                    }
                } else if (hasPrefix(ca, "text:")) {
                    Hash textHash(std::string(ca, 5));
                    auto actualTextHash = hashString(htSHA256, readFile(realPath));
                    if (textHash != actualTextHash) {
                        throw Error("ca hash mismatch importing path '%s';\n  specified: %s\n  got:       %s",
                                info.path,
                                textHash.to_string(Base32, true),
                                actualTextHash.to_string(Base32, true));
                    }
                }
            }
            autoGC();
            canonicalisePathMetaData(realPath, -1);
@ -1450,4 +1484,20 @@ void LocalStore::createUser(const std::string & userName, uid_t userId)
 }
 std::string LocalStore::hashCAPath(
    bool recursive,
    const HashType & hashType,
    const Path & path
 )
 {
    HashSink caSink(hashType);
    if (recursive) {
        dumpPath(path, caSink);
    } else {
        readFile(path, caSink);
    }
    auto hash = caSink.finish().first;
    return makeFixedOutputCA(recursive, hash);
 }
 }
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@ -295,8 +295,14 @@ private:
    void createUser(const std::string & userName, uid_t userId) override;
-    friend class DerivationGoal;
+    std::string hashCAPath(
-    friend class SubstitutionGoal;
+        bool recursive,
        const HashType & hashType,
        const Path & path
    );
    friend struct DerivationGoal;
    friend struct SubstitutionGoal;
 };
--- a/tests/local.mk
+++ b/tests/local.mk
@ -12,6 +12,7 @@ nix_tests = \
  timeout.sh secure-drv-outputs.sh nix-channel.sh \
  multiple-outputs.sh import-derivation.sh fetchurl.sh optimise-store.sh \
  binary-cache.sh nix-profile.sh repair.sh dump-db.sh case-hack.sh \
  substitute-with-invalid-ca.sh \
  check-reqs.sh pass-as-file.sh tarball.sh restricted.sh \
  placeholders.sh nix-shell.sh \
  linux-sandbox.sh \
--- a/tests/substitute-with-invalid-ca.sh
+++ b/tests/substitute-with-invalid-ca.sh
@ -0,0 +1,38 @@
 source common.sh
 BINARY_CACHE=file://$cacheDir
 getHash() {
    basename "$1" | cut -d '-' -f 1
 }
 getRemoteNarInfo () {
    echo "$cacheDir/$(getHash "$1").narinfo"
 }
 cat <<EOF > $TEST_HOME/good.txt
 I’m a good path
 EOF
 cat <<EOF > $TEST_HOME/bad.txt
 I’m a bad path
 EOF
 good=$(nix-store --add $TEST_HOME/good.txt)
 bad=$(nix-store --add $TEST_HOME/bad.txt)
 nix copy --to "$BINARY_CACHE" "$good"
 nix copy --to "$BINARY_CACHE" "$bad"
 nix-collect-garbage >/dev/null 2>&1
 # Falsifying the narinfo file for '$good'
 goodPathNarInfo=$(getRemoteNarInfo "$good")
 badPathNarInfo=$(getRemoteNarInfo "$bad")
 for fieldName in URL FileHash FileSize NarHash NarSize; do
    sed -i "/^$fieldName/d" "$goodPathNarInfo"
    grep -E "^$fieldName" "$badPathNarInfo" >> "$goodPathNarInfo"
 done
 # Copying back '$good' from the binary cache. This should fail as it is
 # corrupted
 if nix copy --from "$BINARY_CACHE" "$good"; then
    fail "Importing a path with a wrong CA field should fail"
 fi