about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/manual/command-ref/conf-file.xml18
-rw-r--r--doc/manual/release-notes/rl-1.12.xml8
-rw-r--r--src/libexpr/eval.cc20
-rw-r--r--src/libexpr/eval.hh2
-rw-r--r--src/libexpr/primops.cc3
-rw-r--r--src/libexpr/primops/fetchgit.cc7
-rw-r--r--src/libstore/globals.hh4
-rw-r--r--tests/restricted.sh12
8 files changed, 67 insertions, 7 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 6b90083f0873..fb4d8cefc4d2 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -563,7 +563,8 @@ password <replaceable>my-password</replaceable>
       <para>If set to <literal>true</literal>, the Nix evaluator will
       not allow access to any files outside of the Nix search path (as
       set via the <envar>NIX_PATH</envar> environment variable or the
-      <option>-I</option> option). The default is
+      <option>-I</option> option), or to URIs outside of
+      <option>allowed-uri</option>. The default is
       <literal>false</literal>.</para>
 
     </listitem>
@@ -571,6 +572,21 @@ password <replaceable>my-password</replaceable>
   </varlistentry>
 
 
+  <varlistentry xml:id="conf-allowed-uris"><term><literal>allowed-uris</literal></term>
+
+    <listitem>
+
+      <para>A list of URI prefixes to which access is allowed in
+      restricted evaluation mode. For example, when set to
+      <literal>https://github.com/NixOS</literal>, builtin functions
+      such as <function>fetchGit</function> are allowed to access
+      <literal>https://github.com/NixOS/patchelf.git</literal>.</para>
+
+    </listitem>
+
+  </varlistentry>
+
+
   <varlistentry xml:id="conf-pre-build-hook"><term><literal>pre-build-hook</literal></term>
 
     <listitem>
diff --git a/doc/manual/release-notes/rl-1.12.xml b/doc/manual/release-notes/rl-1.12.xml
index 609dcef6b49e..7c9a8b75ecee 100644
--- a/doc/manual/release-notes/rl-1.12.xml
+++ b/doc/manual/release-notes/rl-1.12.xml
@@ -418,6 +418,14 @@ configureFlags = "--prefix=${placeholder "out"} --includedir=${placeholder "dev"
     through the MELPA package repository.</para>
   </listitem>
 
+  <listitem>
+    <para>In restricted evaluation mode
+    (<option>--restrict-eval</option>), builtin functions that
+    download from the network (such as <function>fetchGit</function>)
+    are permitted to fetch underneath the list of URI prefixes
+    specified in the option <option>allowed-uris</option>.</para>
+  </listitem>
+
 </itemizedlist>
 
 <para>This release has contributions from TBD.</para>
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 548537b72ced..63de2d60a147 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -355,6 +355,26 @@ Path EvalState::checkSourcePath(const Path & path_)
 }
 
 
+void EvalState::checkURI(const std::string & uri)
+{
+    if (!restricted) return;
+
+    /* 'uri' should be equal to a prefix, or in a subdirectory of a
+       prefix. Thus, the prefix https://github.co does not permit
+       access to https://github.com. Note: this allows 'http://' and
+       'https://' as prefixes for any http/https URI. */
+    for (auto & prefix : settings.allowedUris.get())
+        if (uri == prefix ||
+            (uri.size() > prefix.size()
+            && prefix.size() > 0
+            && hasPrefix(uri, prefix)
+            && (prefix[prefix.size() - 1] == '/' || uri[prefix.size()] == '/')))
+            return;
+
+    throw RestrictedPathError("access to URI '%s' is forbidden in restricted mode", uri);
+}
+
+
 void EvalState::addConstant(const string & name, Value & v)
 {
     Value * v2 = allocValue();
diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh
index 04a36b14cefa..f0ab1435bff3 100644
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@@ -110,6 +110,8 @@ public:
 
     Path checkSourcePath(const Path & path);
 
+    void checkURI(const std::string & uri);
+
     /* Parse a Nix expression from the specified file. */
     Expr * parseExprFromFile(const Path & path);
     Expr * parseExprFromFile(const Path & path, StaticEnv & staticEnv);
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 22925ba4de19..cd0dfbc03e94 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -1937,8 +1937,7 @@ void fetch(EvalState & state, const Pos & pos, Value * * args, Value & v,
     } else
         url = state.forceStringNoCtx(*args[0], pos);
 
-    if (state.restricted)
-        throw Error(format("'%1%' is not allowed in restricted mode") % who);
+    state.checkURI(url);
 
     Path res = getDownloader()->downloadCached(state.store, url, unpack, name, expectedHash);
     mkString(v, res, PathSet({res}));
diff --git a/src/libexpr/primops/fetchgit.cc b/src/libexpr/primops/fetchgit.cc
index 38bffd8dbdbc..81b641900593 100644
--- a/src/libexpr/primops/fetchgit.cc
+++ b/src/libexpr/primops/fetchgit.cc
@@ -113,9 +113,6 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,
 
 static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
-    // FIXME: cut&paste from fetch().
-    if (state.restricted) throw Error("'fetchGit' is not allowed in restricted mode");
-
     std::string url;
     std::string ref = "master";
     std::string rev;
@@ -150,6 +147,10 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
     } else
         url = state.forceStringNoCtx(*args[0], pos);
 
+    // FIXME: git externals probably can be used to bypass the URI
+    // whitelist. Ah well.
+    state.checkURI(url);
+
     auto gitInfo = exportGit(state.store, url, ref, rev, name);
 
     state.mkAttrs(v, 8);
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 538273b546be..a4aa842d70fd 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -225,7 +225,7 @@ public:
 
     Setting<bool> restrictEval{this, false, "restrict-eval",
         "Whether to restrict file system access to paths in $NIX_PATH, "
-        "and to disallow fetching files from the network."};
+        "and network access to the URI prefixes listed in 'allowed-uris'."};
 
     Setting<size_t> buildRepeat{this, 0, "repeat",
         "The number of times to repeat a build in order to verify determinism.",
@@ -353,6 +353,8 @@ public:
     Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free",
         "Stop deleting garbage when free disk space is above the specified amount."};
 
+    Setting<Strings> allowedUris{this, {}, "allowed-uris",
+        "Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
 };
 
 
diff --git a/tests/restricted.sh b/tests/restricted.sh
index 19096a9f8dd2..a297847cc8e3 100644
--- a/tests/restricted.sh
+++ b/tests/restricted.sh
@@ -16,3 +16,15 @@ nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/b
 (! nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
 nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
 
+p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --restrict-eval --allowed-uris "file://$(pwd)")
+cmp $p restricted.sh
+
+(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --restrict-eval)
+
+(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
+
+nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
+
+(! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --restrict-eval)
+(! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --restrict-eval)
+(! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --restrict-eval)