Merge pull request #5250 from edolstra/censor-flake-lock

Disallow reading flake.lock
NixOS · Sep 14, 2021 · 2c751c0 · 2c751c0
2 parents 1fbaf36 + e559611
commit 2c751c0
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
@@ -1412,6 +1412,11 @@ static void prim_readFile(EvalState & state, const Pos & pos, Value * * args, Va
 {
     PathSet context;
     Path path = state.coerceToPath(pos, *args[0], context);
+    if (baseNameOf(path) == "flake.lock")
+        throw Error({
+            .msg = hintfmt("cannot read '%s' because flake lock files can be out of sync", path),
+            .errPos = pos
+        });
     try {
         state.realiseContext(context);
     } catch (InvalidPathError & e) {