about summary refs log tree commit diff
path: root/src/libexpr
AgeCommit message (Collapse)AuthorFilesLines
2018-08-03 Fix symlink leak in restricted eval modeaszlig1-4/+10
In EvalState::checkSourcePath, the path is checked against the list of allowed paths first and later it's checked again *after* resolving symlinks. The resolving of the symlinks is done via canonPath, which also strips out "../" and "./". However after the canonicalisation the error message pointing out that the path is not allowed prints the symlink target in the error message. Even if we'd suppress the message, symlink targets could still be leaked if the symlink target doesn't exist (in this case the error is thrown in canonPath). So instead, we now do canonPath() without symlink resolving first before even checking against the list of allowed paths and then later do the symlink resolving and checking the allowed paths again. The first call to canonPath() should get rid of all the "../" and "./", so in theory the only way to leak a symlink if the attacker is able to put a symlink in one of the paths allowed by restricted evaluation mode. For the latter I don't think this is part of the threat model, because if the attacker can write to that path, the attack vector is even larger. Signed-off-by: aszlig <aszlig@nix.build>
2018-07-05 prim_concatMap: no need to force valuevolth1-1/+0
2018-07-05 prim_mapAttrs: must be lazy to avoid infinite recursionvolth1-4/+5
2018-07-05 prim_concatMap: allocate intermediate list on stackvolth1-7/+15
2018-07-05 primops.cc: fix commentvolth1-1/+1
2018-07-05 lib.concatMap and lib.mapAttrs to be builtinsvolth1-0/+42
2018-07-03 Include cpptoml for build simplicityEelco Dolstra1-1/+1
2018-07-03 Add a fromTOML primopEelco Dolstra1-0/+77
This is primarily useful for processing Cargo.lock files.
2018-07-03 Store floating point numbers in double precisionEelco Dolstra1-1/+1
Even on 32-bit systems, Value has enough space to hold a double.
2018-06-12 GC_malloc -> GC_MALLOCEelco Dolstra2-9/+3
This makes it possible to build with -DGC_DEBUG.
2018-06-12 Don't scan for roots in dynamic librariesEelco Dolstra1-0/+7
This reduces the risk of object liveness misdetection. For example, Glibc has an internal variable "mp_" that often points to a Boehm object, keeping it alive unnecessarily. Since we don't store any actual roots in global variables, we can just disable data segment scanning. With this, the max RSS doing 100 evaluations of nixos.tests.firefox.x86_64-linux.drvPath went from 718 MiB to 455 MiB.
2018-06-12 Add temporary statsEelco Dolstra2-1/+28
2018-06-12 Cache parse treesEelco Dolstra2-2/+19
This prevents EvalState::resetFileCache() from parsing everything all over again.
2018-06-12 Remove duplicate definition of allocBytes()Eelco Dolstra3-29/+15
2018-05-30 Fix static assertion failure on 32-bit systemsEelco Dolstra1-1/+1
2018-05-30 Move evaluator-specific settings out of libstoreEelco Dolstra5-14/+41
2018-05-28 Merge pull request #2187 from bgamari/stoi-exceptionsEelco Dolstra1-1/+1
json-to-value: Use strtol instead of strtoi
2018-05-26 json-to-value: Use strtol instead of strtoiBen Gamari1-1/+1
NixInt is long, so strtoi is too restrictive.
2018-05-26 eval.cc: add message to static_assert, message can be omitted w/c++17Will Dietz1-1/+1
2018-05-24 Merge pull request #2157 from volth/bitwiseEelco Dolstra1-0/+17
add builtins: __bitAnd, __bitOr, __bitXor
2018-05-22 Make Env self-describingEelco Dolstra2-8/+12
If the Env denotes a 'with', then values[0] may be an Expr* cast to a Value*. For code that generically traverses Values/Envs, it's useful to know this.
2018-05-22 Memoise checkSourcePath()Eelco Dolstra2-1/+11
This prevents hydra-eval-jobs from statting the same files over and over again.
2018-05-16 add `mod' and bitwise builtins: camel-case function namesvolth1-6/+6
2018-05-16 add `mod' and bitwise builtins: remove `mod' and shiftsvolth1-36/+0
2018-05-16 add `mod' and bitwise builtins: remove infix functionsvolth1-7/+0
2018-05-12 add `mod' and bitwise builtinsvolth2-0/+60
2018-05-11 Don't return negative numbers from the flex tokenizerEelco Dolstra1-1/+5
Fixes #1374. Closes #2129.
2018-05-11 Revert "Throw a specific error for incomplete parse errors."Eelco Dolstra3-11/+1
This reverts commit 6498adb002bcf7e715afe46c23b8635d4592c156. We don't actually use IncompleteParseError in 'nix repl'.
2018-05-09 In restricted eval mode, allow access to the closure of store pathsEelco Dolstra1-1/+11
E.g. this makes nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")' (where /nix/store/foo/symlink is a symlink to another path in the closure of /nix/store/foo) succeed. This fixes a regression in Hydra compared to Nix 1.x (where there were no restrictions at all on access to the Nix store).
2018-05-02 Fix some random -Wconversion warningsEelco Dolstra7-57/+60
2018-04-23 Merge branch 'pos-crash-fix' of git://github.com/dezgeg/nixShea Levy1-1/+1
2018-04-17 isFunction: True on primops.Shea Levy1-1/+12
Fixes #2073
2018-04-09 Export required C++ version in pkgconfig.Shea Levy1-1/+1
2018-04-09 Make prim_exec and prim_importNative available to pluginsShea Levy2-2/+10
2018-04-03 libexpr: Make unsafeGetAttrPos not crash on noPosTuomas Tynkkynen1-1/+1
Currently e.g. `builtins.unsafeGetAttrPos "abort" builtins` will eventually segfault because pos->file is an unset Symbol. Found by afl-fuzz.
2018-03-19 Shut up signedness warningEelco Dolstra2-2/+2
2018-03-16 Merge pull request #1939 from dezgeg/lexer-fixEelco Dolstra1-4/+5
libexpr: Recognize newline in more places in lexer
2018-03-14 Catch more possible instances of passing NULL to memcpy.Shea Levy1-4/+8
Actually fixes #1976.
2018-03-14 concatLists: Don't pass NULL pointers to memcpy.Shea Levy1-1/+2
This is UB, even if the size is 0. See #1976. Fixes #1976.
2018-03-14 Fix compatibility with latest boost::formatEelco Dolstra2-23/+23
2018-03-13 fetchGit: Fix debug messageGuillaume Maudoux1-1/+1
2018-03-09 Modified MakeBinOp to no longer produce its name using concatenation and "##".Tim Engler1-11/+11
Doing so prevents emacs tags from working, as well as makes the code extremely confusing for a newbie. In the prior state, if someone wants to find the definition of "ExprApp" for example, a grep through the code reveals nothing. Since the definition could be hiding in numerous ".h" files, it's really difficult to find. This personally took me several hours to figure out.
2018-03-02 libexpr: Recognize newline in more places in lexerTuomas Tynkkynen1-4/+5
Flex's regexes have an annoying feature: the dot matches everything except a newline. This causes problems for expressions like: "${0}\ " where the backslash-newline combination matches this rule instead of the intended one mentioned in the comment: <STRING>\$|\\|\$\\ { /* This can only occur when we reach EOF, otherwise the above (...|\$[^\{\"\\]|\\.|\$\\.)+ would have triggered. This is technically invalid, but we leave the problem to the parser who fails with exact location. */ return STR; } However, the parser actually accepts the resulting token sequence ('"' DOLLAR_CURLY 0 '}' STR '"'), which is a problem because the lexer rule didn't assign anything to yylval. Ultimately this leads to a crash when dereferencing a NULL pointer in ExprConcatStrings::bindVars(). The fix does change the syntax of the language in some corner cases but I think it's only turning previously invalid (or crashing) syntax to valid syntax. E.g. "a\ b" and ''a''\ b'' were previously syntax errors but now both result in "a\nb". Found by afl-fuzz.
2018-02-28 fetchGit: use "HEAD" as default refWill Dietz1-1/+1
2018-02-28 Actually fix nixDataDir in non-canonical pathShea Levy2-2/+2
2018-02-26 libexpr: Fix prim_replaceStrings() to work on an empty source stringTuomas Tynkkynen1-3/+14
Otherwise, running e.g. nix-instantiate --eval -E --strict 'builtins.replaceStrings [""] ["X"] "abc"' would just hang in an infinite loop. Found by afl-fuzz. First attempt of this was reverted in e2d71bd1862cdda because it caused another infinite loop, which is fixed now and a test added.
2018-02-22 Merge branch 'data-dir-non-canon' of https://github.com/shlevy/nixEelco Dolstra1-1/+1
2018-02-22 Fix restricted mode when installing in non-canonical data dirShea Levy1-1/+1
2018-02-21 Revert "libexpr: Fix prim_replaceStrings() to work on an empty source string"Eelco Dolstra1-8/+3
This reverts commit 4ea9707591beceacf9988b3c185faf50da238403. It causes an infinite loop in Nixpkgs evaluation, e.g. "nix-instantiate -A hello" hung. PR #1886.
2018-02-19 libexpr: Fix prim_replaceStrings() to work on an empty source stringTuomas Tynkkynen1-3/+8
Otherwise, running e.g. nix-instantiate --eval -E --strict 'builtins.replaceStrings [""] ["X"] "abc"' would just hang in an infinite loop. Found by afl-fuzz.