fix NIX_PATH for real (#11079)

* fix NIX_PATH overriding - test restricted evaluation - test precedence for setting the search path Co-authored-by: Robert Hensing <robert@roberthensing.nl> Co-authored-by: John Ericson <git@JohnEricson.me>
2025-06-28 09:31:16 +02:00 · 2024-07-24 23:17:15 +02:00 · 2024-07-24 23:17:15 +02:00 · e062021314
commit e062021314
parent 874c1bdbbf
7 changed files with 111 additions and 12 deletions
--- a/src/libexpr/eval-gc.cc
+++ b/src/libexpr/eval-gc.cc
@ -1,5 +1,7 @@
 #include "error.hh"
 #include "environment-variables.hh"
+#include "eval-settings.hh"
+#include "config-global.hh"
 #include "serialise.hh"
 #include "eval-gc.hh"

@ -230,6 +232,12 @@ void initGC()
    gcCyclesAfterInit = GC_get_gc_no();
 #endif

+    // NIX_PATH must override the regular setting
+    // See the comment in applyConfig
+    if (auto nixPathEnv = getEnv("NIX_PATH")) {
+        globalConfig.set("nix-path", concatStringsSep(" ", EvalSettings::parseNixPath(nixPathEnv.value())));
+    }
+
    gcInitialised = true;
 }

--- a/src/libexpr/eval-settings.cc
+++ b/src/libexpr/eval-settings.cc
@ -8,7 +8,7 @@ namespace nix {

 /* Very hacky way to parse $NIX_PATH, which is colon-separated, but
   can contain URLs (e.g. "nixpkgs=https://bla...:foo=https://"). */
-static Strings parseNixPath(const std::string & s)
+Strings EvalSettings::parseNixPath(const std::string & s)
 {
    Strings res;

@ -48,10 +48,7 @@ EvalSettings::EvalSettings(bool & readOnlyMode, EvalSettings::LookupPathHooks lo
    : readOnlyMode{readOnlyMode}
    , lookupPathHooks{lookupPathHooks}
 {
-    auto var = getEnv("NIX_PATH");
-    if (var) nixPath = parseNixPath(*var);
-
-    var = getEnv("NIX_ABORT_ON_WARN");
+    auto var = getEnv("NIX_ABORT_ON_WARN");
    if (var && (var == "1" || var == "yes" || var == "true"))
        builtinsAbortOnWarn = true;
 }
--- a/src/libexpr/eval-settings.hh
+++ b/src/libexpr/eval-settings.hh
@ -47,6 +47,8 @@ struct EvalSettings : Config

    static bool isPseudoUrl(std::string_view s);

+    static Strings parseNixPath(const std::string & s);
+
    static std::string resolvePseudoUrl(std::string_view url);

    LookupPathHooks lookupPathHooks;
@ -71,7 +73,7 @@ struct EvalSettings : Config
    )"};

    Setting<Strings> nixPath{
-        this, getDefaultNixPath(), "nix-path",
+        this, {}, "nix-path",
        R"(
          List of search paths to use for [lookup path](@docroot@/language/constructs/lookup-path.md) resolution.
          This setting determines the value of
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -215,7 +215,7 @@ static Symbol getName(const AttrName & name, EvalState & state, Env & env)
 static constexpr size_t BASE_ENV_SIZE = 128;

 EvalState::EvalState(
-    const LookupPath & _lookupPath,
+    const LookupPath & lookupPathFromArguments,
    ref<Store> store,
    const fetchers::Settings & fetchSettings,
    const EvalSettings & settings,
@ -331,12 +331,21 @@ EvalState::EvalState(
    vStringSymlink.mkString("symlink");
    vStringUnknown.mkString("unknown");

-    /* Initialise the Nix expression search path. */
+    /* Construct the Nix expression search path. */
+    assert(lookupPath.elements.empty());
    if (!settings.pureEval) {
-        for (auto & i : _lookupPath.elements)
+        for (auto & i : lookupPathFromArguments.elements) {
            lookupPath.elements.emplace_back(LookupPath::Elem {i});
-        for (auto & i : settings.nixPath.get())
+        }
+        /* $NIX_PATH overriding regular settings is implemented as a hack in `initGC()` */
+        for (auto & i : settings.nixPath.get()) {
            lookupPath.elements.emplace_back(LookupPath::Elem::parse(i));
+        }
+        if (!settings.restrictEval) {
+            for (auto & i : EvalSettings::getDefaultNixPath()) {
+                lookupPath.elements.emplace_back(LookupPath::Elem::parse(i));
+            }
+        }
    }

    /* Allow access to all paths in the search path. */