From 421aa1add1cbae1fd51b8d9efa4ed47dce7a06ac Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 12 Sep 2024 14:58:33 +0200
Subject: [PATCH] Add tests for invalid file names in NARs

Note: in general, we rely on the OS to tell us if a name is invalid or
if two names normalize in the same way. But for security, we do want
to make sure that we catch '.', '..', slashes and NUL characters. (NUL
characters aren't really a security issue, but since they would be
truncated when we pass them to the OS, it would be canonicity problem.)
---
 tests/functional/dot.nar    | Bin 0 -> 288 bytes
 tests/functional/dotdot.nar | Bin 0 -> 288 bytes
 tests/functional/empty.nar  | Bin 0 -> 280 bytes
 tests/functional/nars.sh    |  20 ++++++++++++++++++++
 tests/functional/nul.nar    | Bin 0 -> 288 bytes
 tests/functional/slash.nar  | Bin 0 -> 288 bytes
 6 files changed, 20 insertions(+)
 create mode 100644 tests/functional/dot.nar
 create mode 100644 tests/functional/dotdot.nar
 create mode 100644 tests/functional/empty.nar
 create mode 100644 tests/functional/nul.nar
 create mode 100644 tests/functional/slash.nar

diff --git a/tests/functional/dot.nar b/tests/functional/dot.nar
new file mode 100644
index 0000000000000000000000000000000000000000..3a9452f67fd7dc8b8c9328c767337c5c51b006c4
GIT binary patch
literal 288
zcmd;OfPlQr3f;t_<c!R+R9!;`1_nlmFoOn^W`WWrl?ACFCMSqsU|>keEJ{r-$uFve
z@>!vDYF-Ig43{~1iMe2NVDfrUeK33S@>5Xcak+yXs;?+Dy)-AWh=BvjPtMOPNzE%M
XW`puGQgd?hxe)%+go?xL$HfN#TmTz&

literal 0
HcmV?d00001

diff --git a/tests/functional/dotdot.nar b/tests/functional/dotdot.nar
new file mode 100644
index 0000000000000000000000000000000000000000..f8d019c3926a8285fd3258798a8f88efc65df48d
GIT binary patch
literal 288
zcmd;OfPlQr3f;t_<c!R+R9!;`1_nlmFoOn^W`WWrl?ACFCMSqsU|>keEJ{r-$uFve
z@>!vDYF-Ig43{~1iMe2Nn4s$Q^dJnFJ$d;lV0m2nVeVjuXk#c!O)t$!EMnk*@{{xP
bN>cMmirJw2jMSW*d@h8)G@;@!^KtP3cfuQ_

literal 0
HcmV?d00001

diff --git a/tests/functional/empty.nar b/tests/functional/empty.nar
new file mode 100644
index 0000000000000000000000000000000000000000..43434f2b4404161a74e8a90c0b5c8e3a11194fdf
GIT binary patch
literal 280
zcmd;OfPlQr3f;t_<c!R+R9!;`1_nlmFoOn^W`WWrl?ACFCMSqsU|>keEJ{r-$uFve
z@>!vDYF-Ig43{~1iMe2NpvoCw=I7<7fW>j?gW1mx)mW68UYe6w#J~aNC+Fvtq~?_r
XvqAY8sX00MTnPVYLd9X`<KhDV%OM*^

literal 0
HcmV?d00001

diff --git a/tests/functional/nars.sh b/tests/functional/nars.sh
index 9f5f43dc6..68b9b45d9 100755
--- a/tests/functional/nars.sh
+++ b/tests/functional/nars.sh
@@ -92,3 +92,23 @@ else
     [[ -e $TEST_ROOT/out/â ]]
     [[ -e $TEST_ROOT/out/â ]]
 fi
+
+# Unpacking a NAR with a NUL character in a file name should fail.
+rm -rf "$TEST_ROOT/out"
+expectStderr 1 nix-store --restore "$TEST_ROOT/out" < nul.nar | grepQuiet "NAR contains invalid file name 'f"
+
+# Likewise for a '.' filename.
+rm -rf "$TEST_ROOT/out"
+expectStderr 1 nix-store --restore "$TEST_ROOT/out" < dot.nar | grepQuiet "NAR contains invalid file name '.'"
+
+# Likewise for a '..' filename.
+rm -rf "$TEST_ROOT/out"
+expectStderr 1 nix-store --restore "$TEST_ROOT/out" < dotdot.nar | grepQuiet "NAR contains invalid file name '..'"
+
+# Likewise for a filename containing a slash.
+rm -rf "$TEST_ROOT/out"
+expectStderr 1 nix-store --restore "$TEST_ROOT/out" < slash.nar | grepQuiet "NAR contains invalid file name 'x/y'"
+
+# Likewise for an empty filename.
+rm -rf "$TEST_ROOT/out"
+expectStderr 1 nix-store --restore "$TEST_ROOT/out" < empty.nar | grepQuiet "NAR contains invalid file name ''"
diff --git a/tests/functional/nul.nar b/tests/functional/nul.nar
new file mode 100644
index 0000000000000000000000000000000000000000..9ae48baf6fa658433e37afdb6cae18b2d056a06c
GIT binary patch
literal 288
zcmd;OfPlQr3f;t_<c!R+R9!;`1_nlmFoOn^W`WWrl?ACFCMSqsU|>keEJ{r-$uFve
z@>!vDYF-Ig43{~1iMe2Nn4#*^81lg^m_2#<DPVbA`eE*12kT;BC`wH)%}Fd`;DGXz
d^Ycnl^Gb@@p!|%~oSb|vgugVQ;xO}Z@d3Yz93B7w

literal 0
HcmV?d00001

diff --git a/tests/functional/slash.nar b/tests/functional/slash.nar
new file mode 100644
index 0000000000000000000000000000000000000000..118a60216cc12d33df202aec4c5dd8fbfbcfce75
GIT binary patch
literal 288
zcmd;OfPlQr3f;t_<c!R+R9!;`1_nlmFoOn^W`WWrl?ACFCMSqsU|>keEJ{r-$uFve
z@>!vDYF-Ig43{~1iMe2Nn4#(`^dTm|?8(bd0n6jk4|4}QRDV%wdTCB#5d#O5pPZjp
blA2di%m(FWq~_%0b0Pet2^EK#kBbig>(3l%

literal 0
HcmV?d00001