Tricking peer review

["Ludovic Courtès" <ludovic.courtes@inria.fr>]

[-- Attachment #1: Type: text/plain, Size: 74 bytes --]

Hello,

Consider this file as if it were a patch you’re reviewing:


[-- Attachment #2: source --]
[-- Type: text/plain, Size: 1094 bytes --]

(define-module (content-addressed))
(use-modules (guix)
             (guix build-system gnu)
             (guix licenses)
             (gnu packages perl))

(define-public sed
  (package
   (name "sed")
   (version "4.8")
   (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/zed/sed-" version
                                ".tar.gz"))
            (sha256
             (base32
              "1yy33kiwrxrwj2nxa4fg15bvmwyghqbs8qwkdvy5phm784f7brjq"))))
   (build-system gnu-build-system)
   (synopsis "Stream editor")
   (native-inputs
    `(("perl" ,perl)))                            ;for tests
   (description
    "Sed is a non-interactive, text stream editor.  It receives a text
input from a file or from standard input and it then applies a series of text
editing commands to the stream and prints its output to standard output.  It
is often used for substituting text patterns in a stream.  The GNU
implementation offers several extensions over the standard utility.")
   (license gpl3+)
   (home-page "https://www.gnu.org/software/sed/")))

sed

[-- Attachment #3: Type: text/plain, Size: 4238 bytes --]


It builds just fine:

--8<---------------cut here---------------start------------->8---
$ guix build -f /tmp/content-addressed.scm  
/gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8
$ guix build -f /tmp/content-addressed.scm -S --check -v0
/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz
--8<---------------cut here---------------end--------------->8---

Did you spot a problem?

…

\f
So, what did we just build?

--8<---------------cut here---------------start------------->8---
$ ls $(guix build -f /tmp/content-addressed.scm)/bin
egrep  fgrep  grep
--8<---------------cut here---------------end--------------->8---

Oh oh!  This ‘sed’ package is giving us ‘grep’!  How come?

The trick is easy: we give a URL that’s actually 404, with the hash of a
file that can be found on Software Heritage (in this case, that of
‘grep-3.4.tar.xz’).  When downloading the source, the automatic
content-addressed fallback kicks in, and voilà:

--8<---------------cut here---------------start------------->8---
$ guix build -f /tmp/content-addressed.scm  -S --check 
La jena derivaĵo estos konstruata:
   /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv...

Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz
From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz...
following redirection to `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'...
download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" 404 "Not Found"

[...]

Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz
From https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/...
downloading from https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ...

warning: rewriting hashes in `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross fingers
successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
--8<---------------cut here---------------end--------------->8---

It’s nothing new, it’s what I do when I want to test the download
fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit
c4a7aa82e25503133a1bd33148d17968c899a5f5).  Still, I wonder if it could
somehow be abused to have malicious packages pass review.

Granted, ‘guix lint’ immediately flags the issue:

--8<---------------cut here---------------start------------->8---
$ guix lint -L /tmp/p sed
guix lint: warning: plursenca pak-specifigo 'sed'
guix lint: warning: ni elektas sed@4.8 el /tmp/content-addressed.scm:8:2
/tmp/content-addressed.scm:11:11: sed@4.8: all the source URIs are unreachable:
/tmp/content-addressed.scm:11:11: sed@4.8: URI https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 404 ("Not Found")
/tmp/content-addressed.scm:11:11: sed@4.8: URI ftp://ftp.cs.tu-berlin.de/pub/gnu/zed/sed-4.8.tar.gz domajno ne trovita: Nomo aŭ servo ne konatas
/tmp/content-addressed.scm:11:11: sed@4.8: URI ftp://ftp.funet.fi/pub/mirrors/ftp.gnu.org/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 550 ("Can't change directory to zed: No such file or directory")
/tmp/content-addressed.scm:11:11: sed@4.8: URI http://ftp.gnu.org/pub/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 404 ("Not Found")
--8<---------------cut here---------------end--------------->8---

Also, just because a URL looks nice and is reachable doesn’t mean the
source is trustworthy either.  An attacker could submit a package for an
obscure piece of software that happens to be malware.  The difference
here is that the trick above would allow targeting a high-impact
package.

On the plus side, such an attack would be recorded forever in Git
history.

Also on the plus side, it turns out our origin URLs are currently
(unintentionally) limited to ASCII, so I couldn’t write “/ṡed” in the
URL.


All in all, it’s probably not as worrisome as it first seems.  However,
it’s worth keeping in mind when reviewing a package.

Thoughts?

Ludo’.