Properly return false on builtins.pathExists /someNonAllowedPath

Follow-up from #5807 to fix #5807 (comment)
NixOS · Dec 23, 2021 · 0dcd8c2 · 0dcd8c2
1 parent 7feb741
commit 0dcd8c2
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
@@ -1379,6 +1379,9 @@ static void prim_pathExists(EvalState & state, const Pos & pos, Value * * args,
                 path, e.path),
             .errPos = pos
         });
+    } catch (RestrictedPathError & e) {
+        mkBool(v, false);
+        return;
     }
 
     try {
@@ -1387,8 +1390,6 @@ static void prim_pathExists(EvalState & state, const Pos & pos, Value * * args,
         /* Don't give away info from errors while canonicalising
            ‘path’ in restricted mode. */
         mkBool(v, false);
-    } catch (RestrictedPathError & e) {
-        mkBool(v, false);
     }
 }
 

diff --git a/tests/pure-eval.sh b/tests/pure-eval.sh
@@ -11,6 +11,9 @@ missingImpureErrorMsg=$(! nix eval --expr 'builtins.readFile ./pure-eval.sh' 2>&
 echo "$missingImpureErrorMsg" | grep -q -- --impure || \
     fail "The error message should mention the “--impure” flag to unblock users"
 
+[[ $(nix eval --expr 'builtins.pathExists ./pure-eval.sh') == false ]] || \
+    fail "Calling 'pathExists' on a non-authorised path should return false"
+
 (! nix eval --expr builtins.currentTime)
 (! nix eval --expr builtins.currentSystem)