diff options
| author | Robert Helgesson <robert@rycee.net> | 2020-08-29 18:22:03 +0200 |
|---|---|---|
| committer | Robert Helgesson <robert@rycee.net> | 2020-08-29 18:22:03 +0200 |
| commit | 4fe5afa7557e1f135b02ca9adef7c592852adccb (patch) | |
| tree | 3ef33721b8066caefba5b64ffb805c21f0b81d87 | |
| parent | 209fb62d4983f1219f10b2e89debd169549161b1 (diff) | |
files: make sure the target file name is escaped
The previous implementation would allow variables to sneak into the
file names. This commit makes sure the resulting target file path
exactly matches the expected path.
| -rw-r--r-- | modules/files.nix | 15 | ||||
| -rw-r--r-- | tests/modules/files/default.nix | 1 | ||||
| -rw-r--r-- | tests/modules/files/target-with-shellvar.nix | 15 |
3 files changed, 25 insertions, 6 deletions
diff --git a/modules/files.nix b/modules/files.nix index e0ad8facac1..09ecf715497 100644 --- a/modules/files.nix +++ b/modules/files.nix @@ -316,12 +316,15 @@ in } '' + concatStrings ( mapAttrsToList (n: v: '' - insertFile "${sourceStorePath v}" \ - "${v.target}" \ - "${if v.executable == null - then "inherit" - else builtins.toString v.executable}" \ - "${builtins.toString v.recursive}" + insertFile ${ + escapeShellArgs [ + (sourceStorePath v) + v.target + (if v.executable == null + then "inherit" + else toString v.executable) + (toString v.recursive) + ]} '') cfg )); }; diff --git a/tests/modules/files/default.nix b/tests/modules/files/default.nix index 77743a760dc..6f1ef24b810 100644 --- a/tests/modules/files/default.nix +++ b/tests/modules/files/default.nix @@ -3,5 +3,6 @@ files-hidden-source = ./hidden-source.nix; files-out-of-store-symlink = ./out-of-store-symlink.nix; files-source-with-spaces = ./source-with-spaces.nix; + files-target-with-shellvar = ./target-with-shellvar.nix; files-text = ./text.nix; } diff --git a/tests/modules/files/target-with-shellvar.nix b/tests/modules/files/target-with-shellvar.nix new file mode 100644 index 00000000000..c54946eb9eb --- /dev/null +++ b/tests/modules/files/target-with-shellvar.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + config = { + home.file."$HOME/$FOO/bar baz".text = "blah"; + + nmt.script = '' + assertFileExists 'home-files/$HOME/$FOO/bar baz'; + assertFileContent 'home-files/$HOME/$FOO/bar baz' \ + ${pkgs.writeText "expected" "blah"} + ''; + }; +} |