From 2b9fc0ccc55a40507ef4f64b64292f3a80a5753e Mon Sep 17 00:00:00 2001
From: toborwinner <102221758+ToborWinner@users.noreply.github.com>
Date: Fri, 9 May 2025 00:10:54 +0200
Subject: [PATCH] nixos/specialisation: escape and restrict specialisation
 names

Prevent the specialisation names from containing a forward slash.
Also escape them to allow for spaces in specialisation names.
---
 nixos/modules/system/activation/specialisation.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/system/activation/specialisation.nix b/nixos/modules/system/activation/specialisation.nix
index 1bc257248539..7acccbd724d5 100644
--- a/nixos/modules/system/activation/specialisation.nix
+++ b/nixos/modules/system/activation/specialisation.nix
@@ -10,6 +10,8 @@
 let
   inherit (lib)
     concatStringsSep
+    escapeShellArg
+    hasInfix
     mapAttrs
     mapAttrsToList
     mkOption
@@ -84,10 +86,18 @@ in
   };
 
   config = {
+    assertions = mapAttrsToList (name: _: {
+      assertion = !hasInfix "/" name;
+      message = ''
+        Specialisation names must not contain forward slashes.
+        Invalid specialisation name: ${name}
+      '';
+    }) config.specialisation;
+
     system.systemBuilderCommands = ''
       mkdir $out/specialisation
       ${concatStringsSep "\n" (
-        mapAttrsToList (name: path: "ln -s ${path} $out/specialisation/${name}") children
+        mapAttrsToList (name: path: "ln -s ${path} $out/specialisation/${escapeShellArg name}") children
       )}
     '';
   };