Describe the bug
Nix accepts outputHash values that resemble the SRI hash format but use invalid hash-algo values, such as md5 or sha1. (hash-algo refering to the term in the SRI grammar)
Steps To Reproduce
Evaluate the following expressions:
fetchurl {
url = "https://www.perdu.com";
hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}Expected behavior
Nix should error out, probably with something like « 'md5' is not an SRI hash algorithm. »
nix-env --version output
nix-env (Nix) 2.17.0
Additional context
- The SRI hash format's specification refers to “CSP Level 2” for the definition of
hash-algo and base64-value, as used in its grammar. In turn, the CSP spec defines hash-algo to be one of sha256, sha384 or sha512.
- Furthermore, the SRI spec explicitly disallows MD5 and SHA-1:
User agents SHOULD refuse to support known-weak hashing functions like MD5 or SHA-1 and SHOULD restrict supported hashing functions to those known to be collision-resistant.
Priorities
Add 👍 to issues you find important.
Describe the bug
Nix accepts
outputHashvalues that resemble the SRI hash format but use invalidhash-algovalues, such asmd5orsha1. (hash-algorefering to the term in the SRI grammar)Steps To Reproduce
Evaluate the following expressions:
Expected behavior
Nix should error out, probably with something like « 'md5' is not an SRI hash algorithm. »
nix-env --versionoutputnix-env (Nix) 2.17.0
Additional context
hash-algoandbase64-value, as used in its grammar. In turn, the CSP spec defineshash-algoto be one ofsha256,sha384orsha512.Priorities
Add 👍 to issues you find important.