Open psydvl opened 2 years ago
psydvl
commented
2 years ago There are a lot of update scripts, which update sha256 with nix-prefetch-url:
Like this one:
https://github.com/NixOS/nixpkgs/blob/8a54f4c0bbef28976f69347c458ce74ed98e0234/pkgs/applications/networking/cluster/terraform-providers/update-provider#L140
SuperSandro2000
commented
2 years ago nix-prefetch-url checks the ssl certificate, fetchurl does not.
$ nix-prefetch-url https://untrusted-root.badssl.com/
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 345 ms
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 528 ms
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 1051 ms
warning: error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60); retrying in 2680 ms
error: unable to download 'https://untrusted-root.badssl.com/': SSL peer certificate or SSH remote key was not OK (60)This is not a problem in nix. The root cause lays in fetchurl which only sets the path to the certificates if the hash is empty https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchurl/default.nix#L142 . This is always the case except when generating the hash for the first time and setting the output hash to empty which does not even work with all functions. In practice it is never checked. This is not easily fixable because cacert uses buildcatrust https://github.com/NixOS/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L5 which means we would need to bootstrap the entirety of python without cacert.
nixos-discourse
commented
2 years ago This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/question-about-fetchers-and-tls/18243/1
TLATER
commented
2 years ago @SuperSandro2000 as mentioned on discourse, it not being a problem is not wrong, but also not entirely true either. An insecure hash can be abused by a particularly crafty adversary here, and there are at least a few packages that use sha1 in nixpkgs (apparently anything using yarn/npm): https://github.com/NixOS/nixpkgs/search?q=sha1&type=
I still think the risk is quite low, but it does exist. Maybe insecure checksums should be deprecated?
timbertson
commented
11 months ago This is not easily fixable because cacert uses buildcatrust https://github.com/NixOS/nixpkgs/blob/master/pkgs/data/misc/cacert/default.nix#L5 which means we would need to bootstrap the entirety of python without cacert.
@SuperSandro2000 It looks like fetchurl allows the cacert dependency to be null. Could the branching logic be that we use --insecure when cacert == null? Then the bootstrapping issue could be resolved by passing cacert = null in the one relevant place (buildcatrust?), but everywhere else it's the real cacert, and performs certificate checking.
Describe the bug
For now,
fetchurlnot check certificate and can make malicious redirects. Like I faced just now, when nix tried to download package source from URL blocked in my country, and there are fully accessible second one.More details in https://github.com/NixOS/nixpkgs/issues/152281
Steps To Reproduce Known for me:
nixpkgs.tor-browser-bundle-binExpected behavior
Nix find out certificate replacement and try to download from next available src source.
nix-env --versionoutputAdditional context Possibly related https://github.com/NixOS/nix/issues/4173