From 1911b0cd985d4780bd3f6e264886b03de2b619c5 Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Sat, 29 Aug 2020 18:22:03 +0200
Subject: [PATCH] files: make sure the target file name is escaped

The previous implementation would allow variables to sneak into the
file names. This commit makes sure the resulting target file path
exactly matches the expected path.
---
 modules/files.nix                            | 15 +++++++++------
 tests/modules/files/default.nix              |  1 +
 tests/modules/files/target-with-shellvar.nix | 15 +++++++++++++++
 3 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 tests/modules/files/target-with-shellvar.nix

diff --git a/modules/files.nix b/modules/files.nix
index e0ad8facac19..09ecf715497e 100644
--- a/modules/files.nix
+++ b/modules/files.nix
@@ -316,12 +316,15 @@ in
         }
       '' + concatStrings (
         mapAttrsToList (n: v: ''
-          insertFile "${sourceStorePath v}" \
-                     "${v.target}" \
-                     "${if v.executable == null
-                        then "inherit"
-                        else builtins.toString v.executable}" \
-                     "${builtins.toString v.recursive}"
+          insertFile ${
+            escapeShellArgs [
+              (sourceStorePath v)
+              v.target
+              (if v.executable == null
+               then "inherit"
+               else toString v.executable)
+              (toString v.recursive)
+            ]}
         '') cfg
       ));
   };
diff --git a/tests/modules/files/default.nix b/tests/modules/files/default.nix
index 77743a760dc2..6f1ef24b8103 100644
--- a/tests/modules/files/default.nix
+++ b/tests/modules/files/default.nix
@@ -3,5 +3,6 @@
   files-hidden-source = ./hidden-source.nix;
   files-out-of-store-symlink = ./out-of-store-symlink.nix;
   files-source-with-spaces = ./source-with-spaces.nix;
+  files-target-with-shellvar = ./target-with-shellvar.nix;
   files-text = ./text.nix;
 }
diff --git a/tests/modules/files/target-with-shellvar.nix b/tests/modules/files/target-with-shellvar.nix
new file mode 100644
index 000000000000..c54946eb9eba
--- /dev/null
+++ b/tests/modules/files/target-with-shellvar.nix
@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  config = {
+    home.file."$HOME/$FOO/bar baz".text = "blah";
+
+    nmt.script = ''
+      assertFileExists 'home-files/$HOME/$FOO/bar baz';
+      assertFileContent 'home-files/$HOME/$FOO/bar baz' \
+        ${pkgs.writeText "expected" "blah"}
+    '';
+  };
+}