From bf790d1a7fffcfd5c6a92711179d644119128a61 Mon Sep 17 00:00:00 2001 From: Mikael Voss Date: Thu, 13 Mar 2025 12:57:06 +0100 Subject: [PATCH 1/2] lib/path: properly handle /. in hasStorePathPrefix --- lib/path/default.nix | 2 +- lib/path/tests/unit.nix | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/path/default.nix b/lib/path/default.nix index be559eadf182..1284bed94bb0 100644 --- a/lib/path/default.nix +++ b/lib/path/default.nix @@ -165,7 +165,7 @@ let # This is a workaround for https://github.com/NixOS/nix/issues/12361 which # was needed during the experimental phase of ca-derivations and should be # removed once the issue has been resolved. - || match "[0-9a-z]{52}" (head components) != null; + || components != [ ] && match "[0-9a-z]{52}" (head components) != null; in # No rec! Add dependencies on this file at the top. diff --git a/lib/path/tests/unit.nix b/lib/path/tests/unit.nix index a52b4f44e51d..fa2e004e9c3a 100644 --- a/lib/path/tests/unit.nix +++ b/lib/path/tests/unit.nix @@ -110,6 +110,12 @@ let expected = false; }; + # Root path (empty path components list) + testHasStorePathPrefixRoot = { + expr = hasStorePathPrefix /.; + expected = false; + }; + testHasStorePathPrefixExample1 = { expr = hasStorePathPrefix (storeDirPath + "/nvl9ic0pj1fpyln3zaqrf4cclbqdfn1j-foo/bar/baz"); expected = true; From 931f464581651b32b02eac6b28847b8d1b93ffcd Mon Sep 17 00:00:00 2001 From: Mikael Voss Date: Wed, 5 Mar 2025 14:45:36 +0100 Subject: [PATCH 2/2] lib/types: check paths in pathWith with hasStorePathPrefix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This permits usage of content‐addressed derivations and has the added benefit of checking normalised paths. --- lib/tests/modules/pathWith.nix | 3 +++ lib/types.nix | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/tests/modules/pathWith.nix b/lib/tests/modules/pathWith.nix index 273bc06dfc00..98ba39cb2c4b 100644 --- a/lib/tests/modules/pathWith.nix +++ b/lib/tests/modules/pathWith.nix @@ -58,6 +58,9 @@ in pathInStore.ok1 = "${storeDir}/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv"; pathInStore.ok2 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15"; pathInStore.ok3 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15/bin/bash"; + pathInStore.ok4 = "/1121rp0gvr1qya7hvy925g5kjwg66acz6sn1ra1hca09f1z5dsab"; # CA derivation + pathInStore.ok5 = "/1121rp0gvr1qya7hvy925g5kjwg66acz6sn1ra1hca09f1z5dsab/bin/bash"; # CA derivation + pathInStore.ok6 = /1121rp0gvr1qya7hvy925g5kjwg66acz6sn1ra1hca09f1z5dsab; # CA derivation, path type pathInStore.bad1 = ""; pathInStore.bad2 = "${storeDir}"; pathInStore.bad3 = "${storeDir}/"; diff --git a/lib/types.nix b/lib/types.nix index 11b1b5463bc7..286e5bf76aff 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -669,7 +669,14 @@ let check = x: let - isInStore = builtins.match "${builtins.storeDir}/[^.].*" (toString x) != null; + isInStore = lib.path.hasStorePathPrefix ( + if builtins.isPath x then + x + # Discarding string context is necessary to convert the value to + # a path and safe as the result is never used in any derivation. + else + /. + builtins.unsafeDiscardStringContext x + ); isAbsolute = builtins.substring 0 1 (toString x) == "/"; isExpectedType = ( if inStore == null || inStore then isStringLike x else isString x # Do not allow a true path, which could be copied to the store later on.