From 6fe989eaed7d283bbde7a58e42ce36c676870aee Mon Sep 17 00:00:00 2001 From: aszlig Date: Sat, 6 Apr 2019 12:51:56 +0200 Subject: [PATCH] nixos/tests/acme: Use exact match in TOS location Since the switch to check the nginx config with gixy in 59fac1a6d7e1983a1e7bd518129ff9ef39a013dd, the ACME test doesn't build anymore, because gixy reports the following false-positive (reindented): >> Problem: [alias_traversal] Path traversal via misconfigured alias. Severity: MEDIUM Description: Using alias in a prefixed location that doesn't ends with directory separator could lead to path traversal vulnerability. Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md Pseudo config: server { server_name letsencrypt.org; location /documents/2017.11.15-LE-SA-v1.2.pdf { alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf; } } The reason this is a false-positive is because the destination is not a directory, so something like "/foo.pdf../other.txt" won't work here, because the resulting path would be ".../destfile.pdf../other.txt". Nevertheless it's a good idea to use the exact match operator (=), to not only shut up gixy but also gain a bit of performance in lookup (not that it would matter in our test). Signed-off-by: aszlig --- nixos/tests/common/letsencrypt/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/tests/common/letsencrypt/default.nix b/nixos/tests/common/letsencrypt/default.nix index 73aac51a012..8fe59bf4e70 100644 --- a/nixos/tests/common/letsencrypt/default.nix +++ b/nixos/tests/common/letsencrypt/default.nix @@ -381,7 +381,7 @@ in { enableACME = false; sslCertificate = siteCertFile; sslCertificateKey = siteKeyFile; - locations.${tosPath}.extraConfig = "alias ${tosFile};"; + locations."= ${tosPath}".alias = tosFile; }; systemd.services = {