diff options
author | Florian Klink <flokli@flokli.de> | 2023-08-19T20·01+0200 |
---|---|---|
committer | flokli <flokli@flokli.de> | 2023-08-20T22·19+0000 |
commit | 0193f07642db752c3e14e02064c02b0fd1cc060b (patch) | |
tree | 85130551dd210f650bc66b4a1dc2d612bbaa5e0c /tvix/nix-compat/src/derivation | |
parent | 4017039595fc85c02c8c313b73073220954b9f5a (diff) |
refactor(tvix/nix-compat/nixhash): validate digest lengths r/6512
There was a NixHash::new() before, which didn't perform any validation of the digest length. We had some length validation when parsing nix hashes or SRI hashes, but some places didn't perform validation and/or constructed the struct directly. Replace NixHash::new() with a `impl TryFrom<(HashAlgo, Vec<u8>)> for NixHash`, which does do this validation, and update constructing code to use that, rather than populating structs directly. In some rare cases where we're sure the digest length is correct we still populate the struct manually. Fixes b/291. Change-Id: I7a323c5b18d94de0ec15e391b3e7586df42f4229 Reviewed-on: https://cl.tvl.fyi/c/depot/+/9109 Reviewed-by: raitobezarius <tvl@lahfa.xyz> Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
Diffstat (limited to 'tvix/nix-compat/src/derivation')
-rw-r--r-- | tvix/nix-compat/src/derivation/mod.rs | 8 | ||||
-rw-r--r-- | tvix/nix-compat/src/derivation/tests/mod.rs | 21 |
2 files changed, 19 insertions, 10 deletions
diff --git a/tvix/nix-compat/src/derivation/mod.rs b/tvix/nix-compat/src/derivation/mod.rs index 318f2cc1ae99..0e98e24f43dd 100644 --- a/tvix/nix-compat/src/derivation/mod.rs +++ b/tvix/nix-compat/src/derivation/mod.rs @@ -185,7 +185,13 @@ impl Derivation { hasher.finalize().to_vec() }); - NixHash::new(crate::nixhash::HashAlgo::Sha256, digest.to_vec()) + + // We populate the struct directly, as we know the sha256 digest has the + // right size. + NixHash { + algo: crate::nixhash::HashAlgo::Sha256, + digest: digest.to_vec(), + } } /// This calculates all output paths of a Derivation and updates the struct. diff --git a/tvix/nix-compat/src/derivation/tests/mod.rs b/tvix/nix-compat/src/derivation/tests/mod.rs index 1818a08c9bc3..de4ebb6cb20e 100644 --- a/tvix/nix-compat/src/derivation/tests/mod.rs +++ b/tvix/nix-compat/src/derivation/tests/mod.rs @@ -1,6 +1,5 @@ use crate::derivation::output::Output; use crate::derivation::Derivation; -use crate::nixhash::NixHash; use crate::store_path::StorePath; use bstr::{BStr, BString}; use std::collections::{BTreeMap, BTreeSet}; @@ -238,15 +237,19 @@ fn output_path_construction() { "out".to_string(), Output { path: "".to_string(), // will be calculated - hash_with_mode: Some(crate::nixhash::NixHashWithMode::Recursive(NixHash { - digest: data_encoding::HEXLOWER - .decode( - "08813cbee9903c62be4c5027726a418a300da4500b2d369d3af9286f4815ceba" - .as_bytes(), - ) + hash_with_mode: Some(crate::nixhash::NixHashWithMode::Recursive( + ( + crate::nixhash::HashAlgo::Sha256, + data_encoding::HEXLOWER + .decode( + "08813cbee9903c62be4c5027726a418a300da4500b2d369d3af9286f4815ceba" + .as_bytes(), + ) + .unwrap(), + ) + .try_into() .unwrap(), - algo: crate::nixhash::HashAlgo::Sha256, - })), + )), }, ); |