Merge pull request NixOS#12347 from DeterminateSystems/fix-12339

roberth · web-flow · commit c527fe0f9608 · 2025-01-24T14:45:16.000+01:00
EvalState::resolveLookupPathPath(): Call resolveSymlinks() before pathExists()
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
@@ -3114,7 +3114,7 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat
             }
         }
 
-        if (path.pathExists())
+        if (path.resolveSymlinks().pathExists())
             return finish(std::move(path));
         else {
             logWarning({
diff --git a/tests/functional/restricted.sh b/tests/functional/restricted.sh
@@ -23,7 +23,7 @@ nix-instantiate --restrict-eval ./simple.nix -I src1=./simple.nix -I src2=./conf
 (! nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix')
 nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix' -I src=../..
 
-expectStderr 1 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' | grepQuiet "was not found in the Nix search path"
+expectStderr 1 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' | grepQuiet "forbidden in restricted mode"
 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' -I src=.
 
 p=$(nix eval --raw --expr "builtins.fetchurl file://${_NIX_TEST_SOURCE_DIR}/restricted.sh" --impure --restrict-eval --allowed-uris "file://${_NIX_TEST_SOURCE_DIR}")

Original file line number	Diff line number	Diff line change
`@@ -3114,7 +3114,7 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat`
`3114`	`3114`	`}`
`3115`	`3115`	`}`
`3116`	`3116`
`3117`		`- if (path.pathExists())`
	`3117`	`+ if (path.resolveSymlinks().pathExists())`
`3118`	`3118`	`return finish(std::move(path));`
`3119`	`3119`	`else {`
`3120`	`3120`	`logWarning({`