diff options
author | Florian Klink <flokli@flokli.de> | 2024-06-25T19·46+0300 |
---|---|---|
committer | flokli <flokli@flokli.de> | 2024-06-26T16·06+0000 |
commit | cd485661739ed1d4544498118599869ebd9152e2 (patch) | |
tree | 0b4d4fb6a535a28e894d0422886fab97a21602b2 | |
parent | aa7d125c12eb7950bf522d4dfe094223df42743b (diff) |
fix(tvix/glue): reject unknown attrset args for fetch builtins r/8315
This now uses UnexpectedArgumentBuiltin in case builtins.fetchurl or builtins.fetchTarball are called with the wrong arguments: ``` note: while evaluating this Nix code --> [code]:1:1 | 1 | builtins.readDir (builtins.fetchTarball { url = "https://git"; hash = "sha1-NKNeU1csW5YJ4lCeWH3Z/apppNU=";}) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error[E040]: Unexpected agrument `"hash"` passed to builtin --> [code]:1:19 | 1 | builtins.readDir (builtins.fetchTarball { url = "https://git"; hash = "sha1-NKNeU1csW5YJ4lCeWH3Z/apppNU=";}) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ while calling this builtin ``` Change-Id: I51124255a46b78d3cf4dc89a1eca9e68750858d4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11878 Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com> Reviewed-by: flokli <flokli@flokli.de> Reviewed-by: Simon Hauser <simon.hauser@helsinki-systems.de> Tested-by: BuildkiteCI
3 files changed, 18 insertions, 1 deletions
diff --git a/tvix/glue/src/builtins/fetchers.rs b/tvix/glue/src/builtins/fetchers.rs index 47da71fb922b..1ad43b383353 100644 --- a/tvix/glue/src/builtins/fetchers.rs +++ b/tvix/glue/src/builtins/fetchers.rs @@ -60,7 +60,14 @@ async fn extract_fetch_args( Err(cek) => return Ok(Err(cek)), }; - // TODO: disallow other attrset keys, to match Nix' behaviour. + // Disallow other attrset keys, to match Nix' behaviour. + // We complain about the first unexpected key we find in the list. + const VALID_KEYS: [&[u8]; 3] = [b"url", b"name", b"sha256"]; + if let Some(first_invalid_key) = attrs.keys().find(|k| !&VALID_KEYS.contains(&k.as_bytes())) { + return Err(ErrorKind::UnexpectedArgumentBuiltin( + first_invalid_key.clone(), + )); + } // parse the sha256 string into a digest. let sha256 = match sha256_str { diff --git a/tvix/glue/src/tests/tvix_tests/eval-fail-fetchtarball-invalid-attrs.nix b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchtarball-invalid-attrs.nix new file mode 100644 index 000000000000..209f58cc9d0c --- /dev/null +++ b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchtarball-invalid-attrs.nix @@ -0,0 +1,5 @@ +(builtins.fetchTarball { + url = "https://test.example/owo"; + # Only "sha256" is accepted here. + hash = "sha256-Xa1Jbl2Eq5+L0ww+Ph1osA3Z/Dxe/RkN1/dITQCdXFk="; +}) diff --git a/tvix/glue/src/tests/tvix_tests/eval-fail-fetchurl-invalid-attrs.nix b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchurl-invalid-attrs.nix new file mode 100644 index 000000000000..d3c2bed8018e --- /dev/null +++ b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchurl-invalid-attrs.nix @@ -0,0 +1,5 @@ +(builtins.fetchurl { + url = "https://test.example/owo"; + # Only "sha256" is accepted here. + hash = "sha256-Xa1Jbl2Eq5+L0ww+Ph1osA3Z/Dxe/RkN1/dITQCdXFk="; +}) |