nixos/wireless: correctly handle secrets containing &

In the replacement arg of gsub() the & symbol is a special character that need to be escaped. To avoid this, and further issues due to the variable name possibly being interpreted as a regex, we do a normal substring replacement. This fixes issues #279803.
2024-04-21 09:39:00 +02:00 · 2024-04-21 09:39:00 +02:00 · 89a1bde018
parent e5e8e0688f
commit 89a1bde018
2 changed files with 10 additions and 3 deletions
--- a/nixos/modules/services/networking/wpa_supplicant.nix
+++ b/nixos/modules/services/networking/wpa_supplicant.nix
@ -127,8 +127,12 @@ let
        # substitute environment variables
        if [ -f "${configFile}" ]; then
          ${pkgs.gawk}/bin/awk '{
-            for(varname in ENVIRON)
-              gsub("@"varname"@", ENVIRON[varname])
+            for(varname in ENVIRON) {
+              find = "@"varname"@"
+              repl = ENVIRON[varname]
+              if (i = index($0, find))
+                $0 = substr($0, 1, i-1) repl substr($0, i+length(find))
+            }
            print
          }' "${configFile}" > "${finalConfig}"
        else
--- a/nixos/tests/wpa_supplicant.nix
+++ b/nixos/tests/wpa_supplicant.nix
@ -102,13 +102,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
          test2.psk = "@PSK_SPECIAL@";            # should be replaced
          test3.psk = "@PSK_MISSING@";            # should not be replaced
          test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
+          test5.psk = "@PSK_AWK_REGEX@";          # should be replaced
        };

        # secrets
        environmentFile = pkgs.writeText "wpa-secrets" ''
          PSK_VALID="S0m3BadP4ssw0rd";
          # taken from https://github.com/minimaxir/big-list-of-naughty-strings
-          PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
+          PSK_SPECIAL=",./;'[]\/\-= <>?:\"{}|_+ !@#$%^&*()`~";
+          PSK_AWK_REGEX="PassowrdWith&symbol";
        '';
      };
    };
@ -171,6 +173,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
          basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
          basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
          basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
+          basic.succeed(f"grep -q 'PassowrdWith&symbol' {config_file}")

      with subtest("WPA2 fallbacks have been generated"):
          assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1