abonerib/nix-serve-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: abonerib:9c056641300a826db66b66d7e584b2541d38927a
Branches Tags
abonerib:main
..
compare: abonerib:a050a87129cb8fd62bcd1ea2bcfb785504736a67
Branches Tags
abonerib:main

5 Commits
9c05664130 ... a050a87129

Author SHA1 Message Date
Aleix Boné
a050a87129
Change path to nix-support/private 2025-10-06 16:43:37 +02:00
Aleix Boné
b4a36218e5
Fix private file path checks 2025-10-06 16:18:29 +02:00
Aleix Boné
70ea76007c
Sample package 2025-10-06 14:33:59 +02:00
Aleix Boné
2ef34fe396
Add debug output 2025-10-06 14:33:59 +02:00
Aleix Boné
9126d8d979
Do not serve derivations with /.private 2025-10-06 14:33:59 +02:00
2 changed files with 10 additions and 10 deletions
Show Stats Expand all files Collapse all files

4
flake.nix
View File

@ -84,8 +84,8 @@
packages = { packages = {
inherit nix-serve-ng lix-serve-ng; inherit nix-serve-ng lix-serve-ng;
private = pkgs.runCommand "private" { } '' private = pkgs.runCommand "private" { } ''
mkdir -p $out/nix-support mkdir $out
touch $out/nix-support/private touch $out/.private
''; '';
default = nix-serve-ng; default = nix-serve-ng;
}; };

16
src/Main.hs
View File

@ -60,8 +60,8 @@ validHashPartBytes =
type HostAddressTuple = (Word8, Word8, Word8, Word8) type HostAddressTuple = (Word8, Word8, Word8, Word8)
isInWhitelist :: Socket.HostAddress -> Bool isAllowed :: Socket.HostAddress -> Bool
isInWhitelist host = any (uncurry (inRange $ Socket.hostAddressToTuple host)) allowedIPs isAllowed host = any (uncurry (ipMatches $ Socket.hostAddressToTuple host)) allowedIPs
where where
allowedIPs :: [(HostAddressTuple, HostAddressTuple)] allowedIPs :: [(HostAddressTuple, HostAddressTuple)]
allowedIPs = [ allowedIPs = [
@ -70,7 +70,7 @@ isInWhitelist host = any (uncurry (inRange $ Socket.hostAddressToTuple host)) al
((192,168,72,1), (192,168,79,254)) ((192,168,72,1), (192,168,79,254))
] ]
inRange ip a b = ip >= a && ip <= b ipMatches ip a b = ip >= a && ip <= b
validHashPart :: ByteString -> Bool validHashPart :: ByteString -> Bool
validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash
@ -271,14 +271,14 @@ makeApplication ApplicationOptions{..} request respond = do
let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private" let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private"
isPrivate <- liftIO $ Directory.doesPathExist privateFilePath isPrivate <- liftIO $ Directory.doesPathExist privateFilePath
let isLocal = case Wai.remoteHost request of let isLocalNet = case Wai.remoteHost request of
SockAddrInet _ host -> isInWhitelist host SockAddrInet _ host -> isAllowed host
_ -> False _ -> False
traceM $ show (Wai.remoteHost request, isLocal) traceM $ show (Wai.remoteHost request, isLocalNet)
traceM $ show (privateFilePath, isPrivate) traceM $ show (privateFilePath, isPrivate)
Monad.when (isPrivate && not isLocal) do Monad.when (isPrivate && not isLocalNet) do
let headers = [ ("Content-Type", "text/plain") ] let headers = [ ("Content-Type", "text/plain") ]
let builder = "Forbidden.\n" let builder = "Forbidden.\n"