restrict-eval does not allow access to git flake inputs

[lheckemann]

Describe the bug
(might be a dup of #7090, not sure)

Steps To Reproduce

nix build --restrict-eval github:lheckemann-dump/fetcher-issues-a/39ad58c862ba4b2a53dbe659a03df4c9a64a464f#test1

Expected behavior

Building just fine. I'm particularly surprised because the test3 and test4 inputs (github: instead of git) are allowed.

Actual behaviour

error: access to URI 'https://github.com/lheckemann-dump/fetcher-issues-b.git' is forbidden in restricted mode
(use '--show-trace' to show detailed location information)

nix-env --version output
nix-env (Nix) 2.12.0pre20220913_2a1c63c (lazy-trees branch)
Also tested on nix-env (Nix) 2.8.1.

flake.nix for reference: https://github.com/lheckemann-dump/fetcher-issues-a/blob/39ad58c862ba4b2a53dbe659a03df4c9a64a464f/flake.nix

[SuperSandro2000]

Do you have allowed-uris set?

[lheckemann]

No, but either I shouldn't need it (because they're locked declared flake inputs) or it should fail in the same way with github: inputs.

[Ma27]

Since I got bitten by NixOS/hydra#1257 as well, I decided to investigate.

First of all a bit of context: flake inputs are fetched using https://github.com/NixOS/nix/blob/2.12.0/src/libexpr/flake/call-flake.nix#L15, i.e. pure Nix code. That means that there's no difference between a builtins.fetchTree {} in my Nix code (that's prohibited by restrict-eval) and a flake input to be fetched.

Now, why are e.g. github/gitlab inputs working fine? The only reason is because they don't have a url-attribute that could be passed to EvalState::checkURI():

$ nix-instantiate --eval -E 'builtins.fetchTree { type = "gitlab"; owner = "Ma27"; repo = "coredump-exporter"; }' --experimental-features 'flakes' --option restrict-eval true
{ lastModified = 1655377483; lastModifiedDate = "20220616110443"; narHash = "sha256-wm1QUoj96UQzLdv98Khp33JQ/97dE28y9GteaOEE6CE="; outPath = "/nix/store/51yprxa1q08jxk16ss1qx3zzvq0if4yk-source"; rev = "d05ce558dd83406af7ff941f4686e5260c2536e8"; shortRev = "d05ce55"; }
$ nix-instantiate --eval -E 'builtins.fetchTree { type = "gitlab"; owner = "Ma27"; repo = "coredump-exporter"; url = "https://gitlab.com"; }' --experimental-features 'flakes' --option restrict-eval true
error: access to URI 'https://gitlab.com' is forbidden in restricted mode
$ nix-instantiate --eval -E 'builtins.fetchTree { type = "gitlab"; owner = "Ma27"; repo = "coredump-exporter"; url = "https://gitlab.com"; }' --experimental-features 'flakes'
error: unsupported input attribute 'url'

As you can see, the gitlab-fetcher doesn't support the URL attribute at all, however it breaks on restrict-eval because access to said url is prohibited. Also, restrict-eval should avoid access to non-allowed URLs in my Nix code which is effectively not the case for github/gitlab inputs fetched with fetchTree. In other words, it's sheer luck apparently that github/gitlab fetchers are working fine. Not sure how to go from here, my workaround for now will be check if allowed-uris works with my Hydra or I'll use Linus's Hydra workaround.

cc @edolstra @thufschmitt for opinions.

[thufschmitt]

I'm not familiar at all with restrict-eval, but my understanding is that it's amongst other things a security feature to prevent semi-untrusted code to try to access arbitrary stuff on the evaluator's filesystem or network. That makes it partially orthogonal to flake inputs. So my guess would be that we need to fix the git{hub,lab} input types to respect these.

Now, why are e.g. github/gitlab inputs working fine? The only reason is because they don't have a url-attribute that could be passed to EvalState::checkURI():

Indeed. Which is something of an issue since we can change their host to anything. We probably want to fix that