From e5596113f7fc5e47e058bb15afdf75eee02ed95e Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 14 Sep 2021 21:09:11 +0200 Subject: Disallow reading flake.lock With --no-write-lock-file, it's possible that flake.lock is out of sync with the actual inputs used by the evaluation. So doing fromJSON (readFile ./flake.lock) will give wrong results. Fixes #4639. --- src/libexpr/primops.cc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src') diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index 8a087a781..1de86ad04 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -1412,6 +1412,11 @@ static void prim_readFile(EvalState & state, const Pos & pos, Value * * args, Va { PathSet context; Path path = state.coerceToPath(pos, *args[0], context); + if (baseNameOf(path) == "flake.lock") + throw Error({ + .msg = hintfmt("cannot read '%s' because flake lock files can be out of sync", path), + .errPos = pos + }); try { state.realiseContext(context); } catch (InvalidPathError & e) { -- cgit v1.2.3