Disallow store path names that are . or .. (plus opt. -)

As discussed in the maintainer meeting on 2024-01-29. Mainly this is to avoid a situation where the name is parsed and treated as a file name, mostly to protect users. .-* and ..-* are also considered invalid because they might strip on that separator to remove versions. Doesn't really work, but that's what we decided, and I won't argue with it, because .-* probably doesn't seem to have a real world application anyway. We do still permit a 1-character name that's just "-", which still poses a similar risk in such a situation. We can't start disallowing trailing -, because a non-zero number of users will need it and we've seen how annoying and painful such a change is. What matters most is preventing a situation where . or .. can be injected, and to just get this done.
2025-06-28 13:41:15 +02:00 · 2024-01-30 18:37:23 +01:00 · 2024-01-30 18:37:23 +01:00 · 6e3548f866
commit 6e3548f866
parent 80ea2dcc25
4 changed files with 88 additions and 2 deletions
--- a/src/libstore/path-regex.hh
+++ b/src/libstore/path-regex.hh
@ -3,6 +3,11 @@

 namespace nix {

-static constexpr std::string_view nameRegexStr = R"([0-9a-zA-Z\+\-\._\?=]+)";
+
+static constexpr std::string_view nameRegexStr =
+    // This uses a negative lookahead: (?!\.\.?(-|$))
+    //   - deny ".", "..", or those strings followed by '-'
+    //   - when it's not those, start again at the start of the input and apply the next regex, which is [0-9a-zA-Z\+\-\._\?=]+
+    R"((?!\.\.?(-|$))[0-9a-zA-Z\+\-\._\?=]+)";

 }