Merge pull request #7 from ekala-project/lazy-pure-eval

feat: enforce boundaries by simulating pure eval

default.nix

@@ -26,7 +26,17 @@ in
 }:
 dir:
 let
-  std = compose { } ./std // builtins;
+  std =
+    compose { } ./std
+    // filterMap (
+      k: v:
+      if
+        builtins.match "^import|^scopedImport|^builtins|^fetch.*|^current.*|^nixPath|^storePath" k != null
+      then
+        null
+      else
+        { ${k} = v; }
+    ) builtins;
   atom' = builtins.removeAttrs (extern // atom // { inherit extern; }) [
     "atom"
     (baseNameOf dir)
@@ -54,17 +64,31 @@ let
 
       mod = if hasMod then scope "${dir + "/mod.nix"}" else { };
 
-      scope = scopedImport (
-        {
-          inherit std;
-          atom = atom';
-          mod = lowerKeys (builtins.removeAttrs self [ "mod" ] // { outPath = filterMod dir; });
-        }
-        // cond {
-          _if = pre != null;
-          inherit pre;
-        }
-      );
+      scope =
+        let
+          importErr = "Importing arbitrary Nix files is forbidden. Declare your dependencies via the module system instead.";
+        in
+        scopedImport (
+          {
+            inherit std;
+            atom = atom';
+            mod = lowerKeys (builtins.removeAttrs self [ "mod" ] // { outPath = filterMod dir; });
+            # override builtins, so they can only be accessed via `std`
+            builtins = abort "Please access builtins uniformly via the `std` scope.";
+            import = abort importErr;
+            scopedImport = abort importErr;
+            __fetchurl = abort "Ad hoc fetching is illegal. Declare dependencies statically in the manifest instead.";
+            __currentSystem = abort "Accessing the current system is impure. Declare supported systems in the manifest.";
+            __currentTime = abort "Accessing the current time is impure & illegal.";
+            __nixPath = abort "The NIX_PATH is an impure feature, and therefore illegal.";
+            __storePath = abort "Making explicit dependencies on store paths is illegal.";
+
+          }
+          // cond {
+            _if = pre != null;
+            inherit pre;
+          }
+        );
 
       g =
         name: type:

dev/mod.nix

@@ -1,4 +1 @@
-{
-  Pkgs = mod.pkgs;
-  Shell = mod.shell;
-}
+{ Shell = mod.shell; }

dev/shell.nix

@@ -1,5 +1,5 @@
 {
-  pkgs ? mod.pkgs,
+  pkgs ? atom.pkgs,
 }:
 pkgs.mkShell {
   packages = with pkgs; [

shell.nix

@@ -1,7 +1,8 @@
 let
   dev = import ./. {
-    extern = {
+    extern = rec {
       pins = import ./npins;
+      pkgs = import pins.nixpkgs { };
     };
   } ./dev;
 in

std/path/strToPath.nix

@@ -1,7 +1,10 @@
 str:
 let
   # strip off the first `/` of an absolute path
-  frag = std.substring 1 (-1) str;
+  # disgarding the string context of a store path should be safe here
+  # since if the path refers to a store path, the context will be readded
+  # if/when the path is turned back into a string
+  frag = std.unsafeDiscardStringContext (std.substring 1 (-1) str);
   # will fail if the string does not represent an absolute path
   # which is what we want since this function makes little sense otherwise
   validate = std.toPath str;

test/bld.nix

@@ -2,8 +2,7 @@ let
   compose = import ../.;
   mod = compose { } (
     # added to test implicit path conversion when path is a string
-    builtins.toPath
-    ./bld
+    builtins.toPath ./bld
   );
 in
 builtins.deepSeq mod mod

test/bld/mod.nix

@@ -3,7 +3,7 @@
   bar = atom.foo + 2;
   baz = mod.bar + 4;
   F = std.set.filterMap;
-  File = builtins.readFile "${mod}/bum";
+  File = std.readFile "${mod}/bum";
   Buzz = mod.buzz;
   Next = ./next; # should be a non-existant path: /nix/store/next
   Bar = mod.bar;