colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/bookstack: Make secret replacement strings more unique

Browse Source 
If a secret path is a subset of a second secret path, there's a risk
that its secret is substituted for the matching part of the second
path. To prevent this, use the sha256 of the paths as placeholder
string instead.
This commit is contained in:
talyz 2022-02-01 17:29:05 +01:00
parent efeefb2af1
commit be97b3b44d
No known key found for this signature in database
GPG Key ID: 2DED2151F4671A2B
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/web-apps/bookstack.nix
View File

@ -385,13 +385,13 @@ in {
else if isString v then v
else if true == v then "true"
else if false == v then "false"
else if isSecret v then v._secret
else if isSecret v then hashString "sha256" v._secret
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
};
};
secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
mkSecretReplacement = file: ''
replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]}
replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]}
'';
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config;