Merge pull request #6436 from flox/tofile_allow

fix: builtins.toFile adds path to allowedPaths
This commit is contained in:
Théophane Hufschmitt 2022-04-22 08:50:54 +02:00 committed by GitHub
commit 35ca5fdf91
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 3 deletions

View file

@ -2,3 +2,7 @@
* `nix repl` has a new build-'n-link (`:bl`) command that builds a derivation * `nix repl` has a new build-'n-link (`:bl`) command that builds a derivation
while creating GC root symlinks. while creating GC root symlinks.
* The path produced by `builtins.toFile` is now allowed to be imported or read
even with restricted evaluation. Note that this will not work with a
read-only store.

View file

@ -1798,15 +1798,16 @@ static void prim_toFile(EvalState & state, const Pos & pos, Value * * args, Valu
refs.insert(state.store->parseStorePath(path)); refs.insert(state.store->parseStorePath(path));
} }
auto storePath = state.store->printStorePath(settings.readOnlyMode auto storePath = settings.readOnlyMode
? state.store->computeStorePathForText(name, contents, refs) ? state.store->computeStorePathForText(name, contents, refs)
: state.store->addTextToStore(name, contents, refs, state.repair)); : state.store->addTextToStore(name, contents, refs, state.repair);
/* Note: we don't need to add `context' to the context of the /* Note: we don't need to add `context' to the context of the
result, since `storePath' itself has references to the paths result, since `storePath' itself has references to the paths
used in args[1]. */ used in args[1]. */
v.mkString(storePath, {storePath}); /* Add the output of this to the allowed paths. */
state.allowAndSetStorePathString(storePath, v);
} }
static RegisterPrimOp primop_toFile({ static RegisterPrimOp primop_toFile({

View file

@ -20,6 +20,8 @@ nix eval --expr 'assert 1 + 2 == 3; true'
[[ $(nix eval attr --json -f "./eval.nix") == '{"foo":"bar"}' ]] [[ $(nix eval attr --json -f "./eval.nix") == '{"foo":"bar"}' ]]
[[ $(nix eval int -f - < "./eval.nix") == 123 ]] [[ $(nix eval int -f - < "./eval.nix") == 123 ]]
# Check if toFile can be utilized during restricted eval
[[ $(nix eval --restrict-eval --expr 'import (builtins.toFile "source" "42")') == 42 ]]
nix-instantiate --eval -E 'assert 1 + 2 == 3; true' nix-instantiate --eval -E 'assert 1 + 2 == 3; true'
[[ $(nix-instantiate -A int --eval "./eval.nix") == 123 ]] [[ $(nix-instantiate -A int --eval "./eval.nix") == 123 ]]