Skip to content

DerivationBuilderImpl: Add more hardening for writeBuilderFile#15328

Merged
Ericson2314 merged 1 commit intomasterfrom
more-hardening-file-system-at-builders
Feb 24, 2026
Merged

DerivationBuilderImpl: Add more hardening for writeBuilderFile#15328
Ericson2314 merged 1 commit intomasterfrom
more-hardening-file-system-at-builders

Conversation

@xokdvium
Copy link
Contributor

@xokdvium xokdvium commented Feb 24, 2026
edited
Loading

Motivation

Adds additional layers of hardening for various file-writing utility
functions in the derivation builder. Bad names in non-structured attrs
case are already checked against [A-Za-z_][A-Za-z0-9_.-]* regex, so
this isn't an issue, but adding more hardening is good regardless.

Context

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

xokdvium
xokdvium commented Feb 24, 2026
View reviewed changes
@xokdvium xokdvium marked this pull request as draft February 24, 2026 16:12
@xokdvium
DerivationBuilderImpl: Add more hardening for writeBuilderFile
246c3fe 
Adds additional layers of hardening for various file-writing utility
functions in the derivation builder. Bad names in non-structured attrs
case are already checked against `[A-Za-z_][A-Za-z0-9_.-]*` regex, so
this isn't an issue, but adding more hardening is good regardless.
@xokdvium xokdvium force-pushed the more-hardening-file-system-at-builders branch from 7032c3d to 246c3fe Compare February 24, 2026 16:15
@xokdvium xokdvium marked this pull request as ready for review February 24, 2026 16:19
xokdvium
xokdvium commented Feb 24, 2026
View reviewed changes
src/libstore/unix/build/derivation-builder.cc
auto path = std::filesystem::path(tmpDir) / name;
AutoCloseFD fd{
openat(tmpDirFd.get(), name.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
auto relPath = CanonPath(name);
Copy link
Contributor Author

@xokdvium xokdvium Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth adding a CanonFilename type to verify this in the constructor or something I suppose.

@Ericson2314 Ericson2314 added this pull request to the merge queue Feb 24, 2026
Merged via the queue into master with commit 56735e9 Feb 24, 2026
19 checks passed
@Ericson2314 Ericson2314 deleted the more-hardening-file-system-at-builders branch February 24, 2026 22:44
@roberth roberth mentioned this pull request Mar 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Ericson2314 approved these changes

@edolstra edolstra Awaiting requested review from edolstra

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xokdvium @Ericson2314