puck/zilch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

(zilch nixpkgs): Attempt to limit Nix expression leakage

Browse source 
Change-Id: Ifab2c0e7784145b9f57ca2c3cb713a476a6a6964
This commit is contained in:
puck 2025-11-24 18:37:10 +00:00
parent bf1f5b0ed9
commit 8385c3ac9b
3 changed files with 58 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

16
cli/zilch-ninja.scm
View file

@ -22,6 +22,7 @@
(verbose #f #\v)
(source #t #\s)
(project #t #\p)
(trust-all #f #\T)
(print-build-logs #f #\L))
(list->vector (cdr (command-line)))
print-help))
@ -62,10 +63,25 @@
(zilch zexpr)
(srfi 128) (srfi 146) (srfi 152))
(when (assoc 'trust-all options) (nixpkgs-eval-allow-all))
(define source (and (assoc 'source options) (cdr (assoc 'source options))))
(when source (nixpkgs-eval-allow-path source))
(define config-path (if (assoc 'config-file options) (cdr (assoc 'config-file options)) "zilch.scm"))
; This is fine, canonicalisation is done without influence of the FS.
(nixpkgs-eval-allow-path (string-append config-path "/.."))
(define (allow-source-paths config)
(when (ninja-build-config-override-source-path config)
(nixpkgs-eval-allow-path (ninja-build-config-override-source-path)))
(for-each
(lambda (rewrite)
(allow-source-paths (cdr rewrite)))
(ninja-build-config-rewrites config)))
(define config (parse-ninja-config config-path (string=? (car args) "build")`(override-source: ,(and source (vfs-from-directory source)) ,@(call-with-input-file config-path read))))
(allow-source-paths config)
(when (and (ninja-build-config-depfile-path config) (file-exists? (ninja-build-config-depfile-path config)))
(set-ninja-build-config-depfile! config (alist->mapping (make-default-comparator) (call-with-input-file (ninja-build-config-depfile-path config) read))))