Disallow reading flake.lock

With --no-write-lock-file, it's possible that flake.lock is out of
sync with the actual inputs used by the evaluation. So doing fromJSON
(readFile ./flake.lock) will give wrong results.

Fixes #4639.
This commit is contained in:
Eelco Dolstra 2021-09-14 21:09:11 +02:00
parent 1fbaf36729
commit e5596113f7

View file

@ -1412,6 +1412,11 @@ static void prim_readFile(EvalState & state, const Pos & pos, Value * * args, Va
{ {
PathSet context; PathSet context;
Path path = state.coerceToPath(pos, *args[0], context); Path path = state.coerceToPath(pos, *args[0], context);
if (baseNameOf(path) == "flake.lock")
throw Error({
.msg = hintfmt("cannot read '%s' because flake lock files can be out of sync", path),
.errPos = pos
});
try { try {
state.realiseContext(context); state.realiseContext(context);
} catch (InvalidPathError & e) { } catch (InvalidPathError & e) {