artemist/lix
0
0
Fork 0
forked from lix-project/lix
Code Pull requests Activity

fetchClosure: Only allow some "safe" store types

Browse source
This commit is contained in:
Eelco Dolstra 2022-03-22 22:47:33 +01:00
parent 7ffda0af6e
commit 4120930ac1
1 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/libexpr/primops/fetchClosure.cc
View file

@ -1,6 +1,7 @@
#include "primops.hh" #include "primops.hh"
#include "store-api.hh" #include "store-api.hh"
#include "make-content-addressed.hh" #include "make-content-addressed.hh"
#include "url.hh"
namespace nix { namespace nix {
@ -50,8 +51,15 @@ static void prim_fetchClosure(EvalState & state, const Pos & pos, Value * * args
.errPos = pos .errPos = pos
}); });
// FIXME: only allow some "trusted" store types (like BinaryCacheStore). auto parsedURL = parseURL(*fromStoreUrl);
auto fromStore = openStore(*fromStoreUrl);
if (parsedURL.scheme != "http" && parsedURL.scheme != "https")
throw Error({
.msg = hintfmt("'fetchClosure' only supports http:// and https:// stores"),
.errPos = pos
});
auto fromStore = openStore(parsedURL.to_string());
if (toCA) { if (toCA) {
if (!toPath || !state.store->isValidPath(*toPath)) { if (!toPath || !state.store->isValidPath(*toPath)) {