Merge pull request #9547 from hercules-ci/allowed-scheme-without-slash

`allowed-uris`: match whole schemes without slashes
2025-11-11 21:16:02 +01:00 · 2023-12-13 20:23:33 +01:00 · 2023-12-13 20:23:33 +01:00 · 1b7968ed86
commit 1b7968ed86
parent b1c633c6bb 0b87ba50c0
9 changed files with 236 additions and 13 deletions
--- a/src/libexpr/eval-settings.hh
+++ b/src/libexpr/eval-settings.hh
@ -68,6 +68,11 @@ struct EvalSettings : Config
          evaluation mode. For example, when set to
          `https://github.com/NixOS`, builtin functions such as `fetchGit` are
          allowed to access `https://github.com/NixOS/patchelf.git`.
+
+          Access is granted when
+          - the URI is equal to the prefix,
+          - or the URI is a subpath of the prefix,
+          - or the prefix is a URI scheme ended by a colon `:` and the URI has the same scheme.
        )"};

    Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -18,6 +18,7 @@
 #include "memory-input-accessor.hh"
 #include "signals.hh"
 #include "gc-small-vector.hh"
+#include "url.hh"

 #include <algorithm>
 #include <chrono>
@ -599,21 +600,45 @@ void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value &
    mkStorePathString(storePath, v);
 }

+inline static bool isJustSchemePrefix(std::string_view prefix)
+{
+    return
+        !prefix.empty()
+        && prefix[prefix.size() - 1] == ':'
+        && isValidSchemeName(prefix.substr(0, prefix.size() - 1));
+}
+
+bool isAllowedURI(std::string_view uri, const Strings & allowedUris)
+{
+    /* 'uri' should be equal to a prefix, or in a subdirectory of a
+       prefix. Thus, the prefix https://github.co does not permit
+       access to https://github.com. */
+    for (auto & prefix : allowedUris) {
+        if (uri == prefix
+            // Allow access to subdirectories of the prefix.
+            || (uri.size() > prefix.size()
+                && prefix.size() > 0
+                && hasPrefix(uri, prefix)
+                && (
+                    // Allow access to subdirectories of the prefix.
+                    prefix[prefix.size() - 1] == '/'
+                    || uri[prefix.size()] == '/'
+
+                    // Allow access to whole schemes
+                    || isJustSchemePrefix(prefix)
+                    )
+                ))
+            return true;
+    }
+
+    return false;
+}
+
 void EvalState::checkURI(const std::string & uri)
 {
    if (!evalSettings.restrictEval) return;

-    /* 'uri' should be equal to a prefix, or in a subdirectory of a
-       prefix. Thus, the prefix https://github.co does not permit
-       access to https://github.com. Note: this allows 'http://' and
-       'https://' as prefixes for any http/https URI. */
-    for (auto & prefix : evalSettings.allowedUris.get())
-        if (uri == prefix ||
-            (uri.size() > prefix.size()
-            && prefix.size() > 0
-            && hasPrefix(uri, prefix)
-            && (prefix[prefix.size() - 1] == '/' || uri[prefix.size()] == '/')))
-            return;
+    if (isAllowedURI(uri, evalSettings.allowedUris.get())) return;

    /* If the URI is a path, then check it against allowedPaths as
       well. */
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -832,6 +832,11 @@ std::string showType(const Value & v);
 */
 SourcePath resolveExprPath(SourcePath path);

+/**
+ * Whether a URI is allowed, assuming restrictEval is enabled
+ */
+bool isAllowedURI(std::string_view uri, const Strings & allowedPaths);
+
 struct InvalidPathError : EvalError
 {
    Path path;