From f25112d3832b93a2bc8abe7936e6355dae9a25d5 Mon Sep 17 00:00:00 2001
From: Tom Bereknyei <tomberek@gmail.com>
Date: Thu, 21 Apr 2022 16:41:37 -0400
Subject: fix: builtins.toFile adds path to allowedPaths

The produced path is then allowed be imported or utilized elsewhere:
```
assert (43 == import (builtins.toFile "source" "43")); "good"
```

This will still fail on write-only stores.
---
 tests/eval.sh | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'tests/eval.sh')

diff --git a/tests/eval.sh b/tests/eval.sh
index 2e5ceb969..d74976019 100644
--- a/tests/eval.sh
+++ b/tests/eval.sh
@@ -20,6 +20,8 @@ nix eval --expr 'assert 1 + 2 == 3; true'
 [[ $(nix eval attr --json -f "./eval.nix") == '{"foo":"bar"}' ]]
 [[ $(nix eval int -f - < "./eval.nix") == 123 ]]
 
+# Check if toFile can be utilized during restricted eval
+[[ $(nix eval --restrict-eval --expr 'import (builtins.toFile "source" "42")') == 42 ]]
 
 nix-instantiate --eval -E 'assert 1 + 2 == 3; true'
 [[ $(nix-instantiate -A int --eval "./eval.nix") == 123 ]]
-- 
cgit v1.2.3