maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add restricted evaluation mode

Browse source 
If ‘--option restrict-eval true’ is given, the evaluator will throw an
exception if an attempt is made to access any file outside of the Nix
search path. This is primarily intended for Hydra, where we don't want
people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
This commit is contained in:
Eelco Dolstra 2015-02-23 14:41:53 +01:00
parent 47bdc52c1b
commit 15d2d3c34e
6 changed files with 65 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/libexpr/eval.hh
View file

@ -135,6 +135,10 @@ public:
already exist there. */
bool repair;
/* If set, don't allow access to files outside of the Nix search
path or to environment variables. */
bool restricted;
private:
SrcToStore srcToStore;
@ -155,6 +159,8 @@ public:
void addToSearchPath(const string & s, bool warn = false);
Path checkSourcePath(const Path & path);
/* Parse a Nix expression from the specified file. */
Expr * parseExprFromFile(const Path & path);
Expr * parseExprFromFile(const Path & path, StaticEnv & staticEnv);