lib/types: check paths in pathWith with hasStorePathPrefix (#387304)

2025-06-09 19:13:26 +03:00 · 2025-04-21 10:45:23 +02:00 · 2025-04-21 10:45:23 +02:00 · 013beed1db
commit 013beed1db
parent 844866b122 931f464581
4 changed files with 18 additions and 2 deletions
--- a/lib/path/default.nix
+++ b/lib/path/default.nix
@ -165,7 +165,7 @@ let
    # This is a workaround for https://github.com/NixOS/nix/issues/12361 which
    # was needed during the experimental phase of ca-derivations and should be
    # removed once the issue has been resolved.
-    || match "[0-9a-z]{52}" (head components) != null;
+    || components != [ ] && match "[0-9a-z]{52}" (head components) != null;

 in
 # No rec! Add dependencies on this file at the top.
--- a/lib/path/tests/unit.nix
+++ b/lib/path/tests/unit.nix
@ -110,6 +110,12 @@ let
      expected = false;
    };

+    # Root path (empty path components list)
+    testHasStorePathPrefixRoot = {
+      expr = hasStorePathPrefix /.;
+      expected = false;
+    };
+
    testHasStorePathPrefixExample1 = {
      expr = hasStorePathPrefix (storeDirPath + "/nvl9ic0pj1fpyln3zaqrf4cclbqdfn1j-foo/bar/baz");
      expected = true;
--- a/lib/tests/modules/pathWith.nix
+++ b/lib/tests/modules/pathWith.nix
@ -58,6 +58,9 @@ in
  pathInStore.ok1 = "${storeDir}/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv";
  pathInStore.ok2 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15";
  pathInStore.ok3 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15/bin/bash";
+  pathInStore.ok4 = "/1121rp0gvr1qya7hvy925g5kjwg66acz6sn1ra1hca09f1z5dsab"; # CA derivation
+  pathInStore.ok5 = "/1121rp0gvr1qya7hvy925g5kjwg66acz6sn1ra1hca09f1z5dsab/bin/bash"; # CA derivation
+  pathInStore.ok6 = /1121rp0gvr1qya7hvy925g5kjwg66acz6sn1ra1hca09f1z5dsab; # CA derivation, path type
  pathInStore.bad1 = "";
  pathInStore.bad2 = "${storeDir}";
  pathInStore.bad3 = "${storeDir}/";
--- a/lib/types.nix
+++ b/lib/types.nix
@ -678,7 +678,14 @@ let
            check =
              x:
              let
-                isInStore = builtins.match "${builtins.storeDir}/[^.].*" (toString x) != null;
+                isInStore = lib.path.hasStorePathPrefix (
+                  if builtins.isPath x then
+                    x
+                  # Discarding string context is necessary to convert the value to
+                  # a path and safe as the result is never used in any derivation.
+                  else
+                    /. + builtins.unsafeDiscardStringContext x
+                );
                isAbsolute = builtins.substring 0 1 (toString x) == "/";
                isExpectedType = (
                  if inStore == null || inStore then isStringLike x else isString x # Do not allow a true path, which could be copied to the store later on.