Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nix accepts invalid SRI hashes (MD5 and SHA-1) #8982

Open
nbraud opened this issue Sep 14, 2023 · 0 comments
Open

Nix accepts invalid SRI hashes (MD5 and SHA-1) #8982

nbraud opened this issue Sep 14, 2023 · 0 comments
Labels
bug

Comments

@nbraud
Copy link
Contributor

nbraud commented Sep 14, 2023
edited
Loading

Describe the bug

Nix accepts outputHash values that resemble the SRI hash format but use invalid hash-algo values, such as md5 or sha1. (hash-algo refering to the term in the SRI grammar)

Steps To Reproduce

Evaluate the following expressions:

fetchurl {
  url = "https://www.perdu.com";
  hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}

Expected behavior

Nix should error out, probably with something like « 'md5' is not an SRI hash algorithm. »

nix-env --version output

nix-env (Nix) 2.17.0

Additional context

  • The SRI hash format's specification refers to “CSP Level 2” for the definition of hash-algo and base64-value, as used in its grammar. In turn, the CSP spec defines hash-algo to be one of sha256, sha384 or sha512.
  • Furthermore, the SRI spec explicitly disallows MD5 and SHA-1:

User agents SHOULD refuse to support known-weak hashing functions like MD5 or SHA-1 and SHOULD restrict supported hashing functions to those known to be collision-resistant.

Priorities

Add 👍 to issues you find important.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nbraud