Compare commits
	
		
			5 Commits
		
	
	
		
			1d21f73a2d
			...
			a050a87129
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| a050a87129 | |||
| b4a36218e5 | |||
| 70ea76007c | |||
| 2ef34fe396 | |||
| 9126d8d979 | 
| @ -83,6 +83,10 @@ | ||||
|       rec { | ||||
|         packages = { | ||||
|           inherit nix-serve-ng lix-serve-ng; | ||||
|           private = pkgs.runCommand "private" { } '' | ||||
|             mkdir $out | ||||
|             touch $out/.private | ||||
|           ''; | ||||
|           default = nix-serve-ng; | ||||
|         }; | ||||
| 
 | ||||
|  | ||||
| @ -48,6 +48,7 @@ executable nix-serve | ||||
|                     , base32 | ||||
|                     , bytestring | ||||
|                     , charset | ||||
|                     , directory | ||||
|                     , http-types | ||||
|                     , managed | ||||
|                     , megaparsec | ||||
|  | ||||
							
								
								
									
										42
									
								
								src/Main.hs
									
									
									
									
									
								
							
							
						
						
									
										42
									
								
								src/Main.hs
									
									
									
									
									
								
							| @ -6,10 +6,13 @@ | ||||
| 
 | ||||
| module Main where | ||||
| 
 | ||||
| import Debug.Trace | ||||
| 
 | ||||
| import Control.Monad.IO.Class (liftIO) | ||||
| import Data.ByteString (ByteString) | ||||
| import Data.CharSet.ByteSet (ByteSet(..)) | ||||
| import Data.Function ((&)) | ||||
| import Data.Word (Word8) | ||||
| import Network.Socket (SockAddr(..)) | ||||
| import Network.Wai (Application) | ||||
| import Nix (NoSuchPath(..), PathInfo(..)) | ||||
| @ -35,6 +38,7 @@ import qualified Network.Wai.Middleware.RequestLogger as RequestLogger | ||||
| import qualified Nix | ||||
| import qualified Options | ||||
| import qualified Options.Applicative                  as Options | ||||
| import qualified System.Directory                     as Directory | ||||
| import qualified System.Environment                   as Environment | ||||
| 
 | ||||
| data ApplicationOptions = ApplicationOptions | ||||
| @ -54,6 +58,20 @@ validHashPartBytes = | ||||
|         <>  [ 0x76 .. 0x7A ]  -- vwxyz | ||||
|         ) | ||||
| 
 | ||||
| type HostAddressTuple = (Word8, Word8, Word8, Word8) | ||||
| 
 | ||||
| isAllowed :: Socket.HostAddress -> Bool | ||||
| isAllowed host = any (uncurry (ipMatches $ Socket.hostAddressToTuple host)) allowedIPs | ||||
|     where | ||||
|         allowedIPs :: [(HostAddressTuple, HostAddressTuple)] | ||||
|         allowedIPs = [ | ||||
|                 ((127,0,0,1),    (127,0,0,1)), | ||||
|                 ((10,0,0,1),     (10,255,255,254)), | ||||
|                 ((192,168,72,1), (192,168,79,254)) | ||||
|             ] | ||||
| 
 | ||||
|         ipMatches ip a b = ip >= a && ip <= b | ||||
| 
 | ||||
| validHashPart :: ByteString -> Bool | ||||
| validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash | ||||
| 
 | ||||
| @ -250,6 +268,30 @@ makeApplication ApplicationOptions{..} request respond = do | ||||
| 
 | ||||
|                     done response | ||||
| 
 | ||||
|                 let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private" | ||||
|                 isPrivate <- liftIO $ Directory.doesPathExist privateFilePath | ||||
| 
 | ||||
|                 let isLocalNet = case Wai.remoteHost request of | ||||
|                                     SockAddrInet _ host -> isAllowed host | ||||
|                                     _ -> False | ||||
| 
 | ||||
|                 traceM $ show (Wai.remoteHost request, isLocalNet) | ||||
|                 traceM $ show (privateFilePath, isPrivate) | ||||
| 
 | ||||
|                 Monad.when (isPrivate && not isLocalNet) do | ||||
|                     let headers = [ ("Content-Type", "text/plain") ] | ||||
| 
 | ||||
|                     let builder = "Forbidden.\n" | ||||
| 
 | ||||
|                     let response = | ||||
|                             Wai.responseBuilder | ||||
|                                     Types.status403 | ||||
|                                     headers | ||||
|                                     builder | ||||
| 
 | ||||
|                     done response | ||||
| 
 | ||||
| 
 | ||||
|                 let streamingBody write flush = do | ||||
|                        result <- Nix.dumpPath hashPart callback | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user