abonerib/nix-serve-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Do not serve derivations with /.private

Browse Source
This commit is contained in:
Aleix Boné
2025-10-03 17:28:01 +02:00
parent 1d21f73a2d
commit 85e97b5260
2 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
nix-serve-ng.cabal
View File

@@ -48,6 +48,7 @@ executable nix-serve
, base32 , base32
, bytestring , bytestring
, charset , charset
, directory
, http-types , http-types
, managed , managed
, megaparsec , megaparsec

23
src/Main.hs
View File

@@ -35,6 +35,7 @@ import qualified Network.Wai.Middleware.RequestLogger as RequestLogger
import qualified Nix import qualified Nix
import qualified Options import qualified Options
import qualified Options.Applicative as Options import qualified Options.Applicative as Options
import qualified System.Directory as Directory
import qualified System.Environment as Environment import qualified System.Environment as Environment
data ApplicationOptions = ApplicationOptions data ApplicationOptions = ApplicationOptions
@@ -250,6 +251,28 @@ makeApplication ApplicationOptions{..} request respond = do
done response done response
isPrivate <- not <$> liftIO (Directory.doesPathExist (ByteString.Char8.unpack storePath ++ "/.private"))
let sockAddr = Wai.remoteHost request
hostAddr <- case sockAddr of
SockAddrInet _ host -> return host
_ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255)
let isInternalClient = hostAddr >= Socket.tupleToHostAddress (10, 0, 0, 0) && hostAddr < Socket.tupleToHostAddress (11, 0, 0, 0)
Monad.unless (isInternalClient || not isPrivate) do
let headers = [ ("Content-Type", "text/plain") ]
let builder = "Forbbiden.\n"
let response =
Wai.responseBuilder
Types.status403
headers
builder
done response
let streamingBody write flush = do let streamingBody write flush = do
result <- Nix.dumpPath hashPart callback result <- Nix.dumpPath hashPart callback