Merge pull request #14243 from NixOS/canon-path-nul-bytes

libutil: Ensure that CanonPath does not contain NUL bytes

Author: Ericson2314

src/libutil-tests/canon-path.cc

@@ -42,6 +42,15 @@ TEST(CanonPath, basic)
     }
 }
 
+TEST(CanonPath, nullBytes)
+{
+    std::string s = "/hello/world";
+    s[8] = '\0';
+    ASSERT_THROW(CanonPath("/").push(std::string(1, '\0')), BadCanonPath);
+    ASSERT_THROW(CanonPath(std::string_view(s)), BadCanonPath);
+    ASSERT_THROW(CanonPath(s, CanonPath::root), BadCanonPath);
+}
+
 TEST(CanonPath, from_existing)
 {
     CanonPath p0("foo//bar/");

src/libutil/canon-path.cc

@@ -3,23 +3,41 @@
 #include "nix/util/file-path-impl.hh"
 #include "nix/util/strings-inline.hh"
 
+#include <cstring>
+
 namespace nix {
 
-CanonPath CanonPath::root = CanonPath("/");
+const CanonPath CanonPath::root = CanonPath("/");
 
 static std::string absPathPure(std::string_view path)
 {
     return canonPathInner<UnixPathTrait>(path, [](auto &, auto &) {});
 }
 
+static void ensureNoNullBytes(std::string_view s)
+{
+    if (std::memchr(s.data(), '\0', s.size())) [[unlikely]] {
+        using namespace std::string_view_literals;
+        auto str = replaceStrings(std::string(s), "\0"sv, "␀"sv);
+        throw BadCanonPath("path segment '%s' must not contain null (\\0) bytes", str);
+    }
+}
+
 CanonPath::CanonPath(std::string_view raw)
     : path(absPathPure(concatStrings("/", raw)))
+{
+    ensureNoNullBytes(raw);
+}
+
+CanonPath::CanonPath(const char * raw)
+    : path(absPathPure(concatStrings("/", raw)))
 {
 }
 
 CanonPath::CanonPath(std::string_view raw, const CanonPath & root)
     : path(absPathPure(raw.size() > 0 && raw[0] == '/' ? raw : concatStrings(root.abs(), "/", raw)))
 {
+    ensureNoNullBytes(raw);
 }
 
 CanonPath::CanonPath(const std::vector<std::string> & elems)
@@ -80,6 +98,7 @@ void CanonPath::push(std::string_view c)
 {
     assert(c.find('/') == c.npos);
     assert(c != "." && c != "..");
+    ensureNoNullBytes(c);
     if (!isRoot())
         path += '/';
     path += c;

src/libutil/include/nix/util/canon-path.hh

@@ -1,6 +1,7 @@
 #pragma once
 ///@file
 
+#include "nix/util/error.hh"
 #include <string>
 #include <optional>
 #include <cassert>
@@ -12,6 +13,8 @@
 
 namespace nix {
 
+MakeError(BadCanonPath, Error);
+
 /**
  * A canonical representation of a path. It ensures the following:
  *
@@ -23,6 +26,8 @@ namespace nix {
  *
  * - There are no components equal to '.' or '..'.
  *
+ * - It does not contain NUL bytes.
+ *
  * `CanonPath` are "virtual" Nix paths for abstract file system objects;
  * they are always Unix-style paths, regardless of what OS Nix is
  * running on. The `/` root doesn't denote the ambient host file system
@@ -51,10 +56,7 @@ public:
      */
     CanonPath(std::string_view raw);
 
-    explicit CanonPath(const char * raw)
-        : CanonPath(std::string_view(raw))
-    {
-    }
+    explicit CanonPath(const char * raw);
 
     struct unchecked_t
     {};
@@ -69,7 +71,7 @@ public:
      */
     CanonPath(const std::vector<std::string> & elems);
 
-    static CanonPath root;
+    static const CanonPath root;
 
     /**
      * If `raw` starts with a slash, return