fetchurl: only allow empty hash when cacert is available

We can use cacert to validate that the data passes SSL certificates. Normally, this doesn’t happen because we already have the hash, but in the hash = "" case we don’t.
NixOS · Jun 9, 2020 · 0046802 · 0046802
1 parent a528cc1
commit 0046802
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh
@@ -15,8 +15,14 @@ curl=(
     --retry 3
     --disable-epsv
     --cookie-jar cookies
-    --insecure
     --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
+)
+
+if ! [ -f "$SSL_CERT_FILE" ]; then
+    curl+=(--insecure)
+fi
+
+curl+=(
     $curlOpts
     $NIX_CURL_FLAGS
 )

diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
@@ -1,4 +1,6 @@
-{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC, curl }: # Note that `curl' may be `null', in case of the native stdenvNoCC.
+{ lib, buildPackages ? { inherit stdenvNoCC; }, stdenvNoCC
+, curl # Note that `curl' may be `null', in case of the native stdenvNoCC.
+, cacert ? null }:
 
 let
 
@@ -112,7 +114,8 @@ let
     else if sha512 != "" then { outputHashAlgo = "sha512"; outputHash = sha512; }
     else if sha256 != "" then { outputHashAlgo = "sha256"; outputHash = sha256; }
     else if sha1   != "" then { outputHashAlgo = "sha1";   outputHash = sha1; }
-    else { outputHashAlgo = "sha256"; outputHash = ""; };
+    else if cacert != null then { outputHashAlgo = "sha256"; outputHash = ""; }
+    else throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
 in
 
 stdenvNoCC.mkDerivation {
@@ -134,6 +137,10 @@ stdenvNoCC.mkDerivation {
   # New-style output content requirements.
   inherit (hash_) outputHashAlgo outputHash;
 
+  SSL_CERT_FILE = if hash_.outputHash == ""
+                  then "${cacert}/etc/ssl/certs/ca-bundle.crt"
+                  else "/no-cert-file.crt";
+
   outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
 
   inherit curlOpts showURLs mirrorsFile postFetch downloadToTemp executable;

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -331,6 +331,7 @@ in
    then buildPackages.fetchurl # No need to do special overrides twice,
    else makeOverridable (import ../build-support/fetchurl) {
     inherit lib stdenvNoCC buildPackages;
+    inherit cacert;
     curl = buildPackages.curl.override (old: rec {
       # break dependency cycles
       fetchurl = stdenv.fetchurlBoot;