Pwning the Entire Nix Ecosystem
a day ago
- #nixpkgs
- #github-actions
- #security
- A vulnerability in nixpkgs was discovered that could compromise the entire Nix ecosystem by injecting malicious code.
- The vulnerability was found in GitHub Actions workflows using the `pull_request_target` trigger, which has read/write and secret access by default.
- Two specific vulnerabilities were identified: one in an EditorConfig workflow using `xargs` (command injection) and another in a CODEOWNERS workflow (local file inclusion leading to credential leakage).
- The vulnerabilities were reported and fixed promptly by the Nixpkgs maintainers, including disabling vulnerable workflows and separating untrusted data from privileged operations.
- Key lessons include avoiding mixing untrusted data with secrets, minimizing permissions, and carefully reading documentation about permissions.
- Resources for further learning and the original lightning talk are provided.