From 87c22100a6892b864ff94476f2965a793d8e4282 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Thu, 14 Sep 2023 16:45:25 +0000
Subject: [PATCH 1/2] stdenv.mkDerivation: Reject MD5 hashes

While there is no fetcher or builder (in nixpkgs) that takes an `md5` parameter,
for some inscrutable reason the nix interpreter accepts the following:
```nix
fetchurl {
  url = "https://www.perdu.com";
  hash = "md5-rrdBU2a35b2PM2ZO+n/zGw==";
}
```

Note that neither MD5 nor SHA1 are allowed by the syntax of SRI hashes.
---
 nixos/doc/manual/release-notes/rl-2311.section.md |  2 ++
 pkgs/stdenv/generic/make-derivation.nix           | 11 +++++++++++
 2 files changed, 13 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md
index bd0d74a8885b..c3cb495498df 100644
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@@ -335,6 +335,8 @@
 
 - `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime directories instead of `/run/kea` to work around the runtime directory being cleared on service start.
 
+- `mkDerivation` now rejects MD5 hashes.
+
 ## Other Notable Changes {#sec-release-23.11-notable-changes}
 
 - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index beba687e788a..d235ffefaab4 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -165,6 +165,17 @@ let
 
 , ... } @ attrs:
 
+# Policy on acceptable hash types in nixpkgs
+assert attrs ? outputHash -> (
+  let algo =
+    attrs.outputHashAlgo or (lib.head (lib.splitString "-" attrs.outputHash));
+  in
+  if algo == "md5" then
+    throw "Rejected insecure ${algo} hash '${attrs.outputHash}'"
+  else
+    true
+);
+
 let
   # TODO(@oxij, @Ericson2314): This is here to keep the old semantics, remove when
   # no package has `doCheck = true`.

From 1cabb1c445f8d535f66fa949362b973832f2ea2f Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Thu, 14 Sep 2023 17:30:52 +0000
Subject: [PATCH 2/2] tests/stdenv: Check derivations with an MD5 `outputHash`
 fail to evaluate

---
 pkgs/test/stdenv/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/test/stdenv/default.nix b/pkgs/test/stdenv/default.nix
index 0fa87cccc219..3882eb2b625c 100644
--- a/pkgs/test/stdenv/default.nix
+++ b/pkgs/test/stdenv/default.nix
@@ -142,6 +142,15 @@ in
     '';
   };
 
+  # Check that mkDerivation rejects MD5 hashes
+  rejectedHashes = lib.recurseIntoAttrs {
+    md5 =
+      let drv = runCommand "md5 outputHash rejected" {
+        outputHash = "md5-fPt7dxVVP7ffY3MxkQdwVw==";
+      } "true";
+      in assert !(builtins.tryEval drv).success; {};
+  };
+
   test-inputDerivation = let
     inherit (stdenv.mkDerivation {
       dep1 = derivation { name = "dep1"; builder = "/bin/sh"; args = [ "-c" ": > $out" ]; system = builtins.currentSystem; };