From 486b066025dccd8af7fbe5dd2cc79e46b88c80da Mon Sep 17 00:00:00 2001
From: toborwinner <102221758+ToborWinner@users.noreply.github.com>
Date: Sun, 9 Feb 2025 21:32:30 +0100
Subject: [PATCH] specialisation: escape specialisation name

The specialisation name is included in home.extraBuilderCommands
without being properly escaped and checked. This commit fixes that.
---
 modules/misc/specialisation.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/misc/specialisation.nix b/modules/misc/specialisation.nix
index dc5f78e14..01e889426 100644
--- a/modules/misc/specialisation.nix
+++ b/modules/misc/specialisation.nix
@@ -71,10 +71,16 @@ with lib;
   };
 
   config = mkIf (config.specialisation != { }) {
+    assertions = map (n: {
+      assertion = !lib.hasInfix "/" n;
+      message =
+        "<name> in specialisation.<name> cannot contain a forward slash.";
+    }) (attrNames config.specialisation);
+
     home.extraBuilderCommands = let
       link = n: v:
         let pkg = v.configuration.home.activationPackage;
-        in "ln -s ${pkg} $out/specialisation/${n}";
+        in "ln -s ${pkg} $out/specialisation/${escapeShellArg n}";
     in ''
       mkdir $out/specialisation
       ${concatStringsSep "\n" (mapAttrsToList link config.specialisation)}