Compare commits
	
		
			2 Commits
		
	
	
		
			d676436e38
			...
			8b962f1c44
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 8b962f1c44 | |||
| 85e97b5260 | 
| @ -83,10 +83,6 @@ | ||||
|       rec { | ||||
|         packages = { | ||||
|           inherit nix-serve-ng lix-serve-ng; | ||||
|           private = pkgs.runCommand "private" { } '' | ||||
|             mkdir $out | ||||
|             touch $out/.private | ||||
|           ''; | ||||
|           default = nix-serve-ng; | ||||
|         }; | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										30
									
								
								src/Main.hs
									
									
									
									
									
								
							
							
						
						
									
										30
									
								
								src/Main.hs
									
									
									
									
									
								
							| @ -12,7 +12,6 @@ import Control.Monad.IO.Class (liftIO) | ||||
| import Data.ByteString (ByteString) | ||||
| import Data.CharSet.ByteSet (ByteSet(..)) | ||||
| import Data.Function ((&)) | ||||
| import Data.Word (Word8) | ||||
| import Network.Socket (SockAddr(..)) | ||||
| import Network.Wai (Application) | ||||
| import Nix (NoSuchPath(..), PathInfo(..)) | ||||
| @ -58,20 +57,6 @@ validHashPartBytes = | ||||
|         <>  [ 0x76 .. 0x7A ]  -- vwxyz | ||||
|         ) | ||||
| 
 | ||||
| type HostAddressTuple = (Word8, Word8, Word8, Word8) | ||||
| 
 | ||||
| isAllowed :: Socket.HostAddress -> Bool | ||||
| isAllowed host = any (uncurry (ipMatches $ Socket.hostAddressToTuple host)) allowedIPs | ||||
|     where | ||||
|         allowedIPs :: [(HostAddressTuple, HostAddressTuple)] | ||||
|         allowedIPs = [ | ||||
|                 ((127,0,0,1),    (127,0,0,1)), | ||||
|                 ((10,0,0,1),     (10,255,255,254)), | ||||
|                 ((192,168,72,1), (192,168,79,254)) | ||||
|             ] | ||||
| 
 | ||||
|         ipMatches ip a b = ip >= a && ip <= b | ||||
| 
 | ||||
| validHashPart :: ByteString -> Bool | ||||
| validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash | ||||
| 
 | ||||
| @ -268,21 +253,22 @@ makeApplication ApplicationOptions{..} request respond = do | ||||
| 
 | ||||
|                     done response | ||||
| 
 | ||||
|                 let privateFilePath = ByteString.Char8.unpack storePath ++ "/.private" | ||||
|                 isPrivate <- liftIO $ Directory.doesPathExist privateFilePath | ||||
| 
 | ||||
|                 isPrivate <- not <$> liftIO (Directory.doesPathExist (ByteString.Char8.unpack storePath ++ "/.private")) | ||||
|                 let sockAddr = Wai.remoteHost request | ||||
|                 hostAddr  <- case sockAddr of | ||||
|                     SockAddrInet _ host -> return host | ||||
|                     _ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255) | ||||
| 
 | ||||
|                 traceM $ show (Socket.hostAddressToTuple hostAddr, isAllowed hostAddr) | ||||
|                 traceM $ show (privateFilePath, isPrivate) | ||||
|                 let isInternalClient = hostAddr >= Socket.tupleToHostAddress (10, 0, 0, 0) && hostAddr < Socket.tupleToHostAddress (11, 0, 0, 0) | ||||
| 
 | ||||
|                 Monad.when (isPrivate && (not $ isAllowed hostAddr)) do | ||||
|                 traceM $ show (ByteString.Char8.unpack storePath, "private", isPrivate, | ||||
|                     "host", hostAddr, | ||||
|                     "isInternalClient", isInternalClient | ||||
|                     ) | ||||
|                 Monad.unless (isInternalClient || not isPrivate) do | ||||
|                     let headers = [ ("Content-Type", "text/plain") ] | ||||
| 
 | ||||
|                     let builder = "Forbidden.\n" | ||||
|                     let builder = "Forbbiden.\n" | ||||
| 
 | ||||
|                     let response = | ||||
|                             Wai.responseBuilder | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user