allowed-uris: Match whole schemes also when scheme is not followed by slashes

(cherry picked from commit a05bc9eb92)
2025-06-27 16:51:15 +02:00 · 2023-12-06 15:27:29 +01:00 · 2023-12-06 15:27:29 +01:00 · ffb6246650
commit ffb6246650
parent 2116ee2454
4 changed files with 63 additions and 1 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -16,6 +16,7 @@
 #include "fs-input-accessor.hh"
 #include "memory-input-accessor.hh"
 #include "signals.hh"
+#include "url.hh"

 #include <algorithm>
 #include <chrono>
@ -602,6 +603,14 @@ void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value &
    mkStorePathString(storePath, v);
 }

+inline static bool isJustSchemePrefix(std::string_view prefix)
+{
+    return
+        !prefix.empty()
+        && prefix[prefix.size() - 1] == ':'
+        && isValidSchemeName(prefix.substr(0, prefix.size() - 1));
+}
+

 SourcePath EvalState::checkSourcePath(const SourcePath & path_)
 {
@ -663,8 +672,14 @@ bool isAllowedURI(std::string_view uri, const Strings & allowedUris)
                && prefix.size() > 0
                && hasPrefix(uri, prefix)
                && (
+                    // Allow access to subdirectories of the prefix.
                    prefix[prefix.size() - 1] == '/'
-                    || uri[prefix.size()] == '/')))
+                    || uri[prefix.size()] == '/'
+
+                    // Allow access to whole schemes
+                    || isJustSchemePrefix(prefix)
+                    )
+                ))
            return true;
    }