allowed-uris: Match whole schemes also when scheme is not followed by slashes

2025-06-28 17:51:15 +02:00 · 2023-12-06 15:27:29 +01:00 · 2023-12-06 15:27:29 +01:00 · a05bc9eb92
commit a05bc9eb92
parent d3a85b6834
4 changed files with 63 additions and 1 deletions
--- a/src/libexpr/eval-settings.hh
+++ b/src/libexpr/eval-settings.hh
@ -68,6 +68,11 @@ struct EvalSettings : Config
          evaluation mode. For example, when set to
          `https://github.com/NixOS`, builtin functions such as `fetchGit` are
          allowed to access `https://github.com/NixOS/patchelf.git`.
+
+          Access is granted when
+          - the URI is equal to the prefix,
+          - or the URI is a subpath of the prefix,
+          - or the prefix is a URI scheme ended by a colon `:` and the URI has the same scheme.
        )"};

    Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",