This repository has been archived on 2026-03-10. You can view files and clone it. You cannot open issues or pull requests or push a commit.

Torjus Håkestad be1ff4839b security: validate revision parameter to prevent Nix injection ...

The revision parameter was interpolated directly into a Nix expression,
allowing potential injection of arbitrary Nix code. An attacker could
craft a revision string like:
  "; builtins.readFile /etc/passwd; "

This adds ValidateRevision() which ensures revisions only contain safe
characters (alphanumeric, hyphens, underscores, dots) and are at most
64 characters long.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-03 19:10:31 +01:00

8.6 KiB

Raw Blame History

View Raw