Add option allowed-uris

This allows network access in restricted eval mode.
2025-06-27 08:31:16 +02:00 · 2017-10-30 12:39:59 +01:00 · 2017-10-30 12:39:59 +01:00 · 812e027e1d
commit 812e027e1d
parent f1c555cef8
8 changed files with 67 additions and 7 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -355,6 +355,26 @@ Path EvalState::checkSourcePath(const Path & path_)
 }


+void EvalState::checkURI(const std::string & uri)
+{
+    if (!restricted) return;
+
+    /* 'uri' should be equal to a prefix, or in a subdirectory of a
+       prefix. Thus, the prefix https://github.co does not permit
+       access to https://github.com. Note: this allows 'http://' and
+       'https://' as prefixes for any http/https URI. */
+    for (auto & prefix : settings.allowedUris.get())
+        if (uri == prefix ||
+            (uri.size() > prefix.size()
+            && prefix.size() > 0
+            && hasPrefix(uri, prefix)
+            && (prefix[prefix.size() - 1] == '/' || uri[prefix.size()] == '/')))
+            return;
+
+    throw RestrictedPathError("access to URI '%s' is forbidden in restricted mode", uri);
+}
+
+
 void EvalState::addConstant(const string & name, Value & v)
 {
    Value * v2 = allocValue();
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -110,6 +110,8 @@ public:

    Path checkSourcePath(const Path & path);

+    void checkURI(const std::string & uri);
+
    /* Parse a Nix expression from the specified file. */
    Expr * parseExprFromFile(const Path & path);
    Expr * parseExprFromFile(const Path & path, StaticEnv & staticEnv);
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -1937,8 +1937,7 @@ void fetch(EvalState & state, const Pos & pos, Value * * args, Value & v,
    } else
        url = state.forceStringNoCtx(*args[0], pos);

-    if (state.restricted)
-        throw Error(format("'%1%' is not allowed in restricted mode") % who);
+    state.checkURI(url);

    Path res = getDownloader()->downloadCached(state.store, url, unpack, name, expectedHash);
    mkString(v, res, PathSet({res}));
--- a/src/libexpr/primops/fetchgit.cc
+++ b/src/libexpr/primops/fetchgit.cc
@ -113,9 +113,6 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,

 static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
-    // FIXME: cut&paste from fetch().
-    if (state.restricted) throw Error("'fetchGit' is not allowed in restricted mode");
-
    std::string url;
    std::string ref = "master";
    std::string rev;
@ -150,6 +147,10 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
    } else
        url = state.forceStringNoCtx(*args[0], pos);

+    // FIXME: git externals probably can be used to bypass the URI
+    // whitelist. Ah well.
+    state.checkURI(url);
+
    auto gitInfo = exportGit(state.store, url, ref, rev, name);

    state.mkAttrs(v, 8);