abonerib/nix-serve-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: abonerib:d676436e3883340ef6a4250562758150a32cee33
Branches Tags
abonerib:main
..
compare: abonerib:8b962f1c4470d08ecfa28735bdb68849ec3110ee
Branches Tags
abonerib:main

2 Commits
d676436e38 ... 8b962f1c44

Author SHA1 Message Date
Aleix Boné
8b962f1c44
Add debug output 2025-10-03 17:48:14 +02:00
Aleix Boné
85e97b5260
Do not serve derivations with /.private 2025-10-03 17:42:54 +02:00
2 changed files with 8 additions and 26 deletions
Show Stats Expand all files Collapse all files

4
flake.nix
View File

@ -83,10 +83,6 @@
rec { rec {
packages = { packages = {
inherit nix-serve-ng lix-serve-ng; inherit nix-serve-ng lix-serve-ng;
private = pkgs.runCommand "private" { } ''
mkdir $out
touch $out/.private
'';
default = nix-serve-ng; default = nix-serve-ng;
}; };

30
src/Main.hs
View File

@ -12,7 +12,6 @@ import Control.Monad.IO.Class (liftIO)
import Data.ByteString (ByteString) import Data.ByteString (ByteString)
import Data.CharSet.ByteSet (ByteSet(..)) import Data.CharSet.ByteSet (ByteSet(..))
import Data.Function ((&)) import Data.Function ((&))
import Data.Word (Word8)
import Network.Socket (SockAddr(..)) import Network.Socket (SockAddr(..))
import Network.Wai (Application) import Network.Wai (Application)
import Nix (NoSuchPath(..), PathInfo(..)) import Nix (NoSuchPath(..), PathInfo(..))
@ -58,20 +57,6 @@ validHashPartBytes =
<> [ 0x76 .. 0x7A ] -- vwxyz <> [ 0x76 .. 0x7A ] -- vwxyz
) )
type HostAddressTuple = (Word8, Word8, Word8, Word8)
isAllowed :: Socket.HostAddress -> Bool
isAllowed host = any (uncurry (ipMatches $ Socket.hostAddressToTuple host)) allowedIPs
where
allowedIPs :: [(HostAddressTuple, HostAddressTuple)]
allowedIPs = [
((127,0,0,1), (127,0,0,1)),
((10,0,0,1), (10,255,255,254)),
((192,168,72,1), (192,168,79,254))
]
ipMatches ip a b = ip >= a && ip <= b
validHashPart :: ByteString -> Bool validHashPart :: ByteString -> Bool
validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash
@ -268,21 +253,22 @@ makeApplication ApplicationOptions{..} request respond = do
done response done response
let privateFilePath = ByteString.Char8.unpack storePath ++ "/.private" isPrivate <- not <$> liftIO (Directory.doesPathExist (ByteString.Char8.unpack storePath ++ "/.private"))
isPrivate <- liftIO $ Directory.doesPathExist privateFilePath
let sockAddr = Wai.remoteHost request let sockAddr = Wai.remoteHost request
hostAddr <- case sockAddr of hostAddr <- case sockAddr of
SockAddrInet _ host -> return host SockAddrInet _ host -> return host
_ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255) _ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255)
traceM $ show (Socket.hostAddressToTuple hostAddr, isAllowed hostAddr) let isInternalClient = hostAddr >= Socket.tupleToHostAddress (10, 0, 0, 0) && hostAddr < Socket.tupleToHostAddress (11, 0, 0, 0)
traceM $ show (privateFilePath, isPrivate)
Monad.when (isPrivate && (not $ isAllowed hostAddr)) do traceM $ show (ByteString.Char8.unpack storePath, "private", isPrivate,
"host", hostAddr,
"isInternalClient", isInternalClient
)
Monad.unless (isInternalClient || not isPrivate) do
let headers = [ ("Content-Type", "text/plain") ] let headers = [ ("Content-Type", "text/plain") ]
let builder = "Forbidden.\n" let builder = "Forbbiden.\n"
let response = let response =
Wai.responseBuilder Wai.responseBuilder