From f1c9d83697e074c32f4efdcb2845bc25edc48f13 Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Sun, 19 Mar 2023 14:12:49 +0100 Subject: [PATCH] Only allow reference lock files when allow-dirty is set --- src/libexpr/flake/flake.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/libexpr/flake/flake.cc b/src/libexpr/flake/flake.cc index 64ec4bdd2..0d55ce23e 100644 --- a/src/libexpr/flake/flake.cc +++ b/src/libexpr/flake/flake.cc @@ -334,6 +334,9 @@ LockedFlake lockFlake( } try { + if (!fetchSettings.allowDirty && lockFlags.referenceLockFilePath) { + throw Error("reference lock file was provided, but the `allow-dirty` setting is set to false"); + } // FIXME: symlink attack auto oldLockFile = LockFile::read(