specialisation: escape specialisation name

The specialisation name is included in home.extraBuilderCommands without being properly escaped and checked. This commit fixes that.
nix-community · Mar 5, 2025 · 486b066 · 486b066
1 parent f6ac8a3
commit 486b066
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/modules/misc/specialisation.nix b/modules/misc/specialisation.nix
@@ -71,10 +71,16 @@ with lib;
   };
 
   config = mkIf (config.specialisation != { }) {
+    assertions = map (n: {
+      assertion = !lib.hasInfix "/" n;
+      message =
+        "<name> in specialisation.<name> cannot contain a forward slash.";
+    }) (attrNames config.specialisation);
+
     home.extraBuilderCommands = let
       link = n: v:
         let pkg = v.configuration.home.activationPackage;
-        in "ln -s ${pkg} $out/specialisation/${n}";
+        in "ln -s ${pkg} $out/specialisation/${escapeShellArg n}";
     in ''
       mkdir $out/specialisation
       ${concatStringsSep "\n" (mapAttrsToList link config.specialisation)}