aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThéophane Hufschmitt <7226587+thufschmitt@users.noreply.github.com>2022-04-22 08:50:54 +0200
committerGitHub <noreply@github.com>2022-04-22 08:50:54 +0200
commit35ca5fdf91852e24d677a08dd0d8dfa543150dd3 (patch)
treee02c94a11bcfc39335b31b635cc70889510ad0d8
parent3b9d31b88c95e591c28f3a7423f83c40b9788781 (diff)
parentf25112d3832b93a2bc8abe7936e6355dae9a25d5 (diff)
Merge pull request #6436 from flox/tofile_allow
fix: builtins.toFile adds path to allowedPaths
-rw-r--r--doc/manual/src/release-notes/rl-next.md4
-rw-r--r--src/libexpr/primops.cc7
-rw-r--r--tests/eval.sh2
3 files changed, 10 insertions, 3 deletions
diff --git a/doc/manual/src/release-notes/rl-next.md b/doc/manual/src/release-notes/rl-next.md
index 3e2998c6c..f16ae901c 100644
--- a/doc/manual/src/release-notes/rl-next.md
+++ b/doc/manual/src/release-notes/rl-next.md
@@ -2,3 +2,7 @@
* `nix repl` has a new build-'n-link (`:bl`) command that builds a derivation
while creating GC root symlinks.
+
+* The path produced by `builtins.toFile` is now allowed to be imported or read
+ even with restricted evaluation. Note that this will not work with a
+ read-only store.
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 73817dbdd..a93ac8a30 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -1798,15 +1798,16 @@ static void prim_toFile(EvalState & state, const Pos & pos, Value * * args, Valu
refs.insert(state.store->parseStorePath(path));
}
- auto storePath = state.store->printStorePath(settings.readOnlyMode
+ auto storePath = settings.readOnlyMode
? state.store->computeStorePathForText(name, contents, refs)
- : state.store->addTextToStore(name, contents, refs, state.repair));
+ : state.store->addTextToStore(name, contents, refs, state.repair);
/* Note: we don't need to add `context' to the context of the
result, since `storePath' itself has references to the paths
used in args[1]. */
- v.mkString(storePath, {storePath});
+ /* Add the output of this to the allowed paths. */
+ state.allowAndSetStorePathString(storePath, v);
}
static RegisterPrimOp primop_toFile({
diff --git a/tests/eval.sh b/tests/eval.sh
index 2e5ceb969..d74976019 100644
--- a/tests/eval.sh
+++ b/tests/eval.sh
@@ -20,6 +20,8 @@ nix eval --expr 'assert 1 + 2 == 3; true'
[[ $(nix eval attr --json -f "./eval.nix") == '{"foo":"bar"}' ]]
[[ $(nix eval int -f - < "./eval.nix") == 123 ]]
+# Check if toFile can be utilized during restricted eval
+[[ $(nix eval --restrict-eval --expr 'import (builtins.toFile "source" "42")') == 42 ]]
nix-instantiate --eval -E 'assert 1 + 2 == 3; true'
[[ $(nix-instantiate -A int --eval "./eval.nix") == 123 ]]