aboutsummaryrefslogtreecommitdiff
path: root/src/libexpr/primops
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2022-03-22 22:47:33 +0100
committerEelco Dolstra <edolstra@gmail.com>2022-03-24 21:33:33 +0100
commit4120930ac19ab7296818fdc1d1389e7799168867 (patch)
tree19f4d6de965dce6a2beab68bf17534c8a9bd0c13 /src/libexpr/primops
parent7ffda0af6effbf32c8668f34cc3f0448c58bc3c1 (diff)
fetchClosure: Only allow some "safe" store types
Diffstat (limited to 'src/libexpr/primops')
-rw-r--r--src/libexpr/primops/fetchClosure.cc12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/libexpr/primops/fetchClosure.cc b/src/libexpr/primops/fetchClosure.cc
index c3f07b6d6..247bceb07 100644
--- a/src/libexpr/primops/fetchClosure.cc
+++ b/src/libexpr/primops/fetchClosure.cc
@@ -1,6 +1,7 @@
#include "primops.hh"
#include "store-api.hh"
#include "make-content-addressed.hh"
+#include "url.hh"
namespace nix {
@@ -50,8 +51,15 @@ static void prim_fetchClosure(EvalState & state, const Pos & pos, Value * * args
.errPos = pos
});
- // FIXME: only allow some "trusted" store types (like BinaryCacheStore).
- auto fromStore = openStore(*fromStoreUrl);
+ auto parsedURL = parseURL(*fromStoreUrl);
+
+ if (parsedURL.scheme != "http" && parsedURL.scheme != "https")
+ throw Error({
+ .msg = hintfmt("'fetchClosure' only supports http:// and https:// stores"),
+ .errPos = pos
+ });
+
+ auto fromStore = openStore(parsedURL.to_string());
if (toCA) {
if (!toPath || !state.store->isValidPath(*toPath)) {