diff options
3 files changed, 18 insertions, 1 deletions
diff --git a/tvix/glue/src/builtins/fetchers.rs b/tvix/glue/src/builtins/fetchers.rs index 47da71fb922b..1ad43b383353 100644 --- a/tvix/glue/src/builtins/fetchers.rs +++ b/tvix/glue/src/builtins/fetchers.rs @@ -60,7 +60,14 @@ async fn extract_fetch_args( Err(cek) => return Ok(Err(cek)), }; - // TODO: disallow other attrset keys, to match Nix' behaviour. + // Disallow other attrset keys, to match Nix' behaviour. + // We complain about the first unexpected key we find in the list. + const VALID_KEYS: [&[u8]; 3] = [b"url", b"name", b"sha256"]; + if let Some(first_invalid_key) = attrs.keys().find(|k| !&VALID_KEYS.contains(&k.as_bytes())) { + return Err(ErrorKind::UnexpectedArgumentBuiltin( + first_invalid_key.clone(), + )); + } // parse the sha256 string into a digest. let sha256 = match sha256_str { diff --git a/tvix/glue/src/tests/tvix_tests/eval-fail-fetchtarball-invalid-attrs.nix b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchtarball-invalid-attrs.nix new file mode 100644 index 000000000000..209f58cc9d0c --- /dev/null +++ b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchtarball-invalid-attrs.nix @@ -0,0 +1,5 @@ +(builtins.fetchTarball { + url = "https://test.example/owo"; + # Only "sha256" is accepted here. + hash = "sha256-Xa1Jbl2Eq5+L0ww+Ph1osA3Z/Dxe/RkN1/dITQCdXFk="; +}) diff --git a/tvix/glue/src/tests/tvix_tests/eval-fail-fetchurl-invalid-attrs.nix b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchurl-invalid-attrs.nix new file mode 100644 index 000000000000..d3c2bed8018e --- /dev/null +++ b/tvix/glue/src/tests/tvix_tests/eval-fail-fetchurl-invalid-attrs.nix @@ -0,0 +1,5 @@ +(builtins.fetchurl { + url = "https://test.example/owo"; + # Only "sha256" is accepted here. + hash = "sha256-Xa1Jbl2Eq5+L0ww+Ph1osA3Z/Dxe/RkN1/dITQCdXFk="; +}) |