Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchTarball accepts ISO images (and likely many unexpected archive formats) #10917

Closed
andir opened this issue Jun 15, 2024 · 1 comment · Fixed by #10918
Closed

fetchTarball accepts ISO images (and likely many unexpected archive formats) #10917

andir opened this issue Jun 15, 2024 · 1 comment · Fixed by #10918
Labels
bug

Comments

@andir
Copy link
Member

andir commented Jun 15, 2024

Describe the bug

The documentation states that fetchTarball requires the file to be tar file. Apparently that isn't entirely true and Nix happily consumes other files.

image

Steps To Reproduce

  1. Open a nix repl and paste nix-repl> builtins.readDir (builtins.fetchTarball "https://releases.nixos.org/nixos/24.05-small/nixos-24.05beta551.6d452319127a/nixos-minimal-24.05beta551.6d452319127a-x86_64-linux.iso")
  2. See that Nix happily downloaded the entire ISO and unpacked it into your store.

Expected behavior

It should fail to unpack the archive..
From the libarchive.org page it seems like the following formats are supported: tar, pax, cpio, zip, xar, lha, ar, cab, mtree, rar, and ISO images. I chose the iso test by random and that succeeded.

nix-env --version output

Additional context

I was trying to figure out what has to be supported to be feature compatible with fetchTarball while working on npins. My objective was to get rid of calling nix-prefetch-url as a subprocess in order to ship the program as a single statically linked binary..

Priorities

Add 👍 to issues you find important.
@andir andir added the bug label Jun 15, 2024
andir added a commit to andir/nix that referenced this issue Jun 15, 2024
@andir
Restrict supported tarball formats to actual Tarballs
e20317f 
The documentation is clear about the supported formats (with at least
`builtins.fetchTarball`). The way the code was written previously it
supported all the formats that libarchive supported. That is a
surprisingly large amount of formats that are likely not on the radar
of the Nix developers and users. Before people end up relying on
this (or if they do) it is better to break it now before it becomes a
widespread "feature".

Fixes NixOS#10917
@andir andir mentioned this issue Jun 15, 2024
Merged
@puckipedia
Copy link
Contributor

I depend on mtree support to replace the usecase for #9911 to some degree. It's also impossible to tell whether any of these have leaked into projects already, either. Someone's definitely used this to fetch rar files, or maybe 7z.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Restrict supported tarball formats to actual Tarballs andir/nix
2 participants
@puckipedia @andir