0e444785a1
The `nixos-rebuild` tool calls `get-version-suffix` to figure out the git revision of the nixpkgs directory if there is a .git. https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an error if the .git search logic is not turned off and a user tries to access a `.git` directory they don’t own (otherwise a different user could trick them into setting arbitrary git config). So from now on we should always explicitely set `--git-dir`, which turns this search logic (and thus the security check) off.
23 lines
599 B
Text
23 lines
599 B
Text
getVersion() {
|
|
local dir="$1"
|
|
rev=
|
|
gitDir="$dir/.git"
|
|
if [ -e "$gitDir" ]; then
|
|
if [ -z "$(type -P git)" ]; then
|
|
echo "warning: Git not found; cannot figure out revision of $dir" >&2
|
|
return
|
|
fi
|
|
cd "$dir"
|
|
rev=$(git --git-dir="$gitDir" rev-parse --short HEAD)
|
|
if git --git-dir="$gitDir" describe --always --dirty | grep -q dirty; then
|
|
rev+=M
|
|
fi
|
|
fi
|
|
}
|
|
|
|
if nixpkgs=$(nix-instantiate --find-file nixpkgs "$@"); then
|
|
getVersion $nixpkgs
|
|
if [ -n "$rev" ]; then
|
|
echo ".git.$rev"
|
|
fi
|
|
fi
|