Merge pull request #14 from eclairevoyant/reject-nixconfig

feat: add reject-flake-config setting to reject all nix config from flakes
This commit is contained in:
Max Headroom 2024-02-16 08:56:59 +01:00 committed by GitHub
commit 924eb1127a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 14 additions and 0 deletions

View file

@ -27,6 +27,11 @@ The following experimental features are enabled by default:
- `repl-flake` (`Xp::ReplFlake`)
- `fetch-tree` (`Xp::FetchTree`)
### Additional settings
The following settings are added to this fork:
- `reject-flake-config`: rejects all flake configuration (including whitelisted settings) and warns about it
### Full thunk evaluation in `flake.nix`
In stock Nix, only the outputs section of `flake.nix` is able to make full use of the Nix language.

View file

@ -51,6 +51,11 @@ void ConfigFile::apply()
else
assert(false);
if (nix::fetchSettings.rejectFlakeConfig) {
warn("ignoring untrusted flake configuration setting '%s' due to the '%s' setting.", name, "reject-flake-config");
continue;
}
if (!whitelist.count(baseName) && !nix::fetchSettings.acceptFlakeConfig) {
bool trusted = false;
auto trustedList = readTrustedList();

View file

@ -87,6 +87,10 @@ struct FetchSettings : public Config
"Whether to accept nix configuration from a flake without prompting.",
{}, true, Xp::Flakes};
Setting<bool> rejectFlakeConfig{this, false, "reject-flake-config",
"Whether to reject nix configuration (including whitelisted settings) from a flake without prompting.",
{}, true, Xp::Flakes};
Setting<std::string> commitLockFileSummary{
this, "", "commit-lockfile-summary",
R"(