isAllowedURI: Extract function and test

(cherry picked from commit 91ba7b2307)
2025-06-27 16:51:15 +02:00 · 2023-12-06 12:41:47 +01:00 · 2023-12-06 12:41:47 +01:00 · 90c7904abf
commit 90c7904abf
parent 2b0ce229aa
3 changed files with 125 additions and 5 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -602,6 +602,7 @@ void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value &
    mkStorePathString(storePath, v);
 }

+
 SourcePath EvalState::checkSourcePath(const SourcePath & path_)
 {
    // Don't check non-rootFS accessors, they're in a different namespace.
@ -650,21 +651,29 @@ SourcePath EvalState::checkSourcePath(const SourcePath & path_)
 }


-void EvalState::checkURI(const std::string & uri)
+bool isAllowedURI(std::string_view uri, const Strings & allowedUris)
 {
-    if (!evalSettings.restrictEval) return;
-
    /* 'uri' should be equal to a prefix, or in a subdirectory of a
       prefix. Thus, the prefix https://github.co does not permit
       access to https://github.com. Note: this allows 'http://' and
       'https://' as prefixes for any http/https URI. */
-    for (auto & prefix : evalSettings.allowedUris.get())
+    for (auto & prefix : allowedUris) {
        if (uri == prefix ||
            (uri.size() > prefix.size()
            && prefix.size() > 0
            && hasPrefix(uri, prefix)
            && (prefix[prefix.size() - 1] == '/' || uri[prefix.size()] == '/')))
-            return;
+            return true;
+    }
+
+    return false;
+}
+
+void EvalState::checkURI(const std::string & uri)
+{
+    if (!evalSettings.restrictEval) return;
+
+    if (isAllowedURI(uri, evalSettings.allowedUris.get())) return;

    /* If the URI is a path, then check it against allowedPaths as
       well. */