nixpkgs/nixos/modules/installer/tools/get-version-suffix
Profpatsch 0e444785a1 installer/tools/get-version-suffix: set --git-dir
The `nixos-rebuild` tool calls `get-version-suffix` to figure out the
git revision of the nixpkgs directory if there is a .git.

https://nvd.nist.gov/vuln/detail/CVE-2022-24765 made git throw an
error if the .git search logic is not turned off and a user
tries to access a `.git` directory they don’t own (otherwise a
different user could trick them into setting arbitrary git config).

So from now on we should always explicitely set `--git-dir`, which
turns this search logic (and thus the security check) off.
2022-06-27 14:28:03 +02:00

23 lines
599 B
Text

getVersion() {
local dir="$1"
rev=
gitDir="$dir/.git"
if [ -e "$gitDir" ]; then
if [ -z "$(type -P git)" ]; then
echo "warning: Git not found; cannot figure out revision of $dir" >&2
return
fi
cd "$dir"
rev=$(git --git-dir="$gitDir" rev-parse --short HEAD)
if git --git-dir="$gitDir" describe --always --dirty | grep -q dirty; then
rev+=M
fi
fi
}
if nixpkgs=$(nix-instantiate --find-file nixpkgs "$@"); then
getVersion $nixpkgs
if [ -n "$rev" ]; then
echo ".git.$rev"
fi
fi