abonerib/nix-serve-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: abonerib:a050a87129cb8fd62bcd1ea2bcfb785504736a67
Branches Tags
abonerib:main
..
compare: abonerib:9c056641300a826db66b66d7e584b2541d38927a
Branches Tags
abonerib:main

3 Commits
a050a87129 ... 9c05664130

Author SHA1 Message Date
Aleix Boné
9c05664130
Sample package 2025-10-06 17:37:13 +02:00
Aleix Boné
92b407ca39
Add debug output 2025-10-06 17:37:07 +02:00
Aleix Boné
36d67ff5f3
Do not serve derivations with /nix-support/private 2025-10-06 17:36:52 +02:00
2 changed files with 10 additions and 10 deletions
Show Stats Expand all files Collapse all files

4
flake.nix
View File

@ -84,8 +84,8 @@
packages = { packages = {
inherit nix-serve-ng lix-serve-ng; inherit nix-serve-ng lix-serve-ng;
private = pkgs.runCommand "private" { } '' private = pkgs.runCommand "private" { } ''
mkdir $out mkdir -p $out/nix-support
touch $out/.private touch $out/nix-support/private
''; '';
default = nix-serve-ng; default = nix-serve-ng;
}; };

16
src/Main.hs
View File

@ -60,8 +60,8 @@ validHashPartBytes =
type HostAddressTuple = (Word8, Word8, Word8, Word8) type HostAddressTuple = (Word8, Word8, Word8, Word8)
isAllowed :: Socket.HostAddress -> Bool isInWhitelist :: Socket.HostAddress -> Bool
isAllowed host = any (uncurry (ipMatches $ Socket.hostAddressToTuple host)) allowedIPs isInWhitelist host = any (uncurry (inRange $ Socket.hostAddressToTuple host)) allowedIPs
where where
allowedIPs :: [(HostAddressTuple, HostAddressTuple)] allowedIPs :: [(HostAddressTuple, HostAddressTuple)]
allowedIPs = [ allowedIPs = [
@ -70,7 +70,7 @@ isAllowed host = any (uncurry (ipMatches $ Socket.hostAddressToTuple host)) allo
((192,168,72,1), (192,168,79,254)) ((192,168,72,1), (192,168,79,254))
] ]
ipMatches ip a b = ip >= a && ip <= b inRange ip a b = ip >= a && ip <= b
validHashPart :: ByteString -> Bool validHashPart :: ByteString -> Bool
validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash
@ -271,14 +271,14 @@ makeApplication ApplicationOptions{..} request respond = do
let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private" let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private"
isPrivate <- liftIO $ Directory.doesPathExist privateFilePath isPrivate <- liftIO $ Directory.doesPathExist privateFilePath
let isLocalNet = case Wai.remoteHost request of let isLocal = case Wai.remoteHost request of
SockAddrInet _ host -> isAllowed host SockAddrInet _ host -> isInWhitelist host
_ -> False _ -> False
traceM $ show (Wai.remoteHost request, isLocalNet) traceM $ show (Wai.remoteHost request, isLocal)
traceM $ show (privateFilePath, isPrivate) traceM $ show (privateFilePath, isPrivate)
Monad.when (isPrivate && not isLocalNet) do Monad.when (isPrivate && not isLocal) do
let headers = [ ("Content-Type", "text/plain") ] let headers = [ ("Content-Type", "text/plain") ]
let builder = "Forbidden.\n" let builder = "Forbidden.\n"