search

nix-community / yarn2nix

Generate nix expressions from a yarn.lock file [maintainer=???]
GNU General Public License v3.0
123 stars 61 forks source link

Use in restricted mode recently broken #102

Closed michaelpj closed 4 years ago

michaelpj commented 5 years ago

https://github.com/moretea/yarn2nix/commit/8c73c4a4f296b1cb52f83d9697e03b895f277abe broke using yarn2nix on hydra in restricted mode.

The problem is this code: https://github.com/moretea/yarn2nix/commit/8c73c4a4f296b1cb52f83d9697e03b895f277abe#diff-5712e736e0de6ba170577f8472c398e9R369

I think what's going on is that this constructs paths from strings, and ends up trying to read what looks to hydra like a random store path. I think this is the same underlying issue as in https://github.com/NixOS/nixpkgs/issues/35207.

To reproduce:

  yarn2nix = pkg.callPackage (pkgs.fetchFromGitHub {
    owner = "moretea";
    repo = "yarn2nix";
    rev = "3cc020e384ce2a439813adb7a0cc772a034d90bb";
    sha256 = "0h2kzdfiw43rbiiffpqq9lkhvdv8mgzz2w29pzrxgv8d39x67vr9";
  });

Evaluating in restricted mode gives something like:

error: access to path '/nix/store/g5bkq7ahvxraahsh0a6q376vsm1bf6rr-vi0fx76f50ykk0zag73ln28013q9dq2w-source/package.json' is forbidden in restricted mode
michaelpj commented 5 years ago

I tried to fix this, and I'm a little baffled by the restrictions. If I revert to just using ./. for src it works, but if I use even a trivial builtins.filterSource call it fails. I would have expected the builtin to work, but apparently not...

ghost commented 4 years ago

Fixed by #115