labs/basic: Validate environment variables

2025-10-27 23:32:32 -04:00 · 2025-10-27 23:32:32 -04:00 · cabbf2372a
commit cabbf2372a
parent 551bbc60de
1 changed files with 31 additions and 1 deletions
--- a/tidepool/src/builders/foundation/basic.nix
+++ b/tidepool/src/builders/foundation/basic.nix
@ -71,10 +71,40 @@ in
              (lib.packages.build packages.foundation.bash.versions."5.2.15-stage1" "x86_64-linux" system).package
            }/bin/bash";

+        # Validates that the exported environment variables are stringy
+        validateEnvVarType =
+          name: var:
+          if builtins.isString var || builtins.isPath var || lib.packages.isDerivation var then
+            var
+          else
+            throw "${builtins.unsafeGetAttrPos name package.env}: 'env.${name}' at is not a string, path, or derivation";
+
+        # Essentially black-listed environment variable names
+        # this is a list of attributes on the builtin.derivation below, keep it in sync if possible.
+        reservedVars = [
+          "name"
+          "script"
+          "system"
+          "script"
+          "env"
+          "__structuredAttrs"
+          "SHELL"
+          "builder"
+          "args"
+        ];
+        validateEnvVarName =
+          name: var:
+          if !(builtins.elem name reservedVars) then
+            var
+          else
+            throw "${builtins.unsafeGetAttrPos name package.env}: 'env.${name}' is a reserved name";
+
        built = builtins.derivation ({
-          inherit (package) name env;
+          inherit (package) name;
          inherit script system;

+          env = builtins.mapAttrs (lib.fp.compose validateEnvVarType validateEnvVarName) package.env;
+
          __structuredAttrs = true;

          outputs = builtins.attrNames (lib.packages.getOutputs package);