mirrors/barkey
1
0
Fork 0
mirror of https://codeberg.org/yeentown/barkey.git synced 2025-07-07 20:44:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

improve YAML syntax for defining allowed IPs

Browse source
This commit is contained in:
Hazelnoot 2025-05-13 22:19:24 -04:00
parent fb63167d85
commit 5116586d79
5 changed files with 113 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
.config/ci.yml
View file

@ -321,9 +321,24 @@ attachLdSignatureForRelays: true
# For security reasons, uploading attachments from the intranet is prohibited, # For security reasons, uploading attachments from the intranet is prohibited,
# but exceptions can be made from the following settings. Default value is "undefined". # but exceptions can be made from the following settings. Default value is "undefined".
# Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
#allowedPrivateNetworks: [ # Some example configurations:
# '127.0.0.1/32' #allowedPrivateNetworks:
#] # # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1/32'
# # Allow connections to 127.0.0.* on any port
# - '127.0.0.1/24'
# # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1'
# # Allow connections to 127.0.0.1 on any port
# - network: '127.0.0.1'
# # Allow connections to 127.0.0.1 on port 80
# - network: '127.0.0.1'
# ports: [80]
# # Allow connections to 127.0.0.1 on port 80 or 443
# - network: '127.0.0.1'
# ports:
# - 80
# - 443
#customMOTD: ['Hello World', 'The sharks rule all', 'Shonks'] #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks']

24
.config/cypress-devcontainer.yml
View file

@ -269,9 +269,27 @@ proxyRemoteFiles: true
# Sign to ActivityPub GET request (default: true) # Sign to ActivityPub GET request (default: true)
signToActivityPubGet: true signToActivityPubGet: true
allowedPrivateNetworks: [ # For security reasons, uploading attachments from the intranet is prohibited,
'127.0.0.1/32' # but exceptions can be made from the following settings. Default value is "undefined".
] # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
# Some example configurations:
allowedPrivateNetworks:
# Allow connections to 127.0.0.1 on any port
- '127.0.0.1/32'
# # Allow connections to 127.0.0.* on any port
# - '127.0.0.1/24'
# # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1'
# # Allow connections to 127.0.0.1 on any port
# - network: '127.0.0.1'
# # Allow connections to 127.0.0.1 on port 80
# - network: '127.0.0.1'
# ports: [80]
# # Allow connections to 127.0.0.1 on port 80 or 443
# - network: '127.0.0.1'
# ports:
# - 80
# - 443
# Disable automatic redirect for ActivityPub object lookup. (default: false) # Disable automatic redirect for ActivityPub object lookup. (default: false)
# This is a strong defense against potential impersonation attacks if the viewer instance has inadequate validation. # This is a strong defense against potential impersonation attacks if the viewer instance has inadequate validation.

21
.config/docker_example.yml
View file

@ -378,9 +378,24 @@ attachLdSignatureForRelays: true
# For security reasons, uploading attachments from the intranet is prohibited, # For security reasons, uploading attachments from the intranet is prohibited,
# but exceptions can be made from the following settings. Default value is "undefined". # but exceptions can be made from the following settings. Default value is "undefined".
# Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
#allowedPrivateNetworks: [ # Some example configurations:
# '127.0.0.1/32' #allowedPrivateNetworks:
#] # # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1/32'
# # Allow connections to 127.0.0.* on any port
# - '127.0.0.1/24'
# # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1'
# # Allow connections to 127.0.0.1 on any port
# - network: '127.0.0.1'
# # Allow connections to 127.0.0.1 on port 80
# - network: '127.0.0.1'
# ports: [80]
# # Allow connections to 127.0.0.1 on port 80 or 443
# - network: '127.0.0.1'
# ports:
# - 80
# - 443
#customMOTD: ['Hello World', 'The sharks rule all', 'Shonks'] #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks']

21
.config/example.yml
View file

@ -381,9 +381,24 @@ attachLdSignatureForRelays: true
# For security reasons, uploading attachments from the intranet is prohibited, # For security reasons, uploading attachments from the intranet is prohibited,
# but exceptions can be made from the following settings. Default value is "undefined". # but exceptions can be made from the following settings. Default value is "undefined".
# Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)). # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
#allowedPrivateNetworks: [ # Some example configurations:
# '127.0.0.1/32' #allowedPrivateNetworks:
#] # # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1/32'
# # Allow connections to 127.0.0.* on any port
# - '127.0.0.1/24'
# # Allow connections to 127.0.0.1 on any port
# - '127.0.0.1'
# # Allow connections to 127.0.0.1 on any port
# - network: '127.0.0.1'
# # Allow connections to 127.0.0.1 on port 80
# - network: '127.0.0.1'
# ports: [80]
# # Allow connections to 127.0.0.1 on port 80 or 443
# - network: '127.0.0.1'
# ports:
# - 80
# - 443
#customMOTD: ['Hello World', 'The sharks rule all', 'Shonks'] #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks']

50
packages/backend/src/config.ts
View file

@ -84,7 +84,7 @@ type Source = {
proxySmtp?: string; proxySmtp?: string;
proxyBypassHosts?: string[]; proxyBypassHosts?: string[];
allowedPrivateNetworks?: string[]; allowedPrivateNetworks?: PrivateNetworkSource[];
disallowExternalApRedirect?: boolean; disallowExternalApRedirect?: boolean;
maxFileSize?: number; maxFileSize?: number;
@ -154,11 +154,13 @@ type Source = {
} }
}; };
export type PrivateNetworkSource = string | { ip?: string, ports?: number[] };
export type PrivateNetwork = { export type PrivateNetwork = {
/** /**
* CIDR IP/netmask definition of the IP range to match. * CIDR IP/netmask definition of the IP range to match.
*/ */
cidr: [ip: IPv4 | IPv6, mask: number]; cidr: CIDR;
/** /**
* List of ports to match. * List of ports to match.
@ -168,17 +170,41 @@ export type PrivateNetwork = {
ports?: number[]; ports?: number[];
}; };
export function parsePrivateNetworks(patterns: string[]): PrivateNetwork[]; export type CIDR = [ip: IPv4 | IPv6, mask: number];
export function parsePrivateNetworks(patterns: PrivateNetworkSource[]): PrivateNetwork[];
export function parsePrivateNetworks(patterns: undefined): undefined; export function parsePrivateNetworks(patterns: undefined): undefined;
export function parsePrivateNetworks(patterns: string[] | undefined): PrivateNetwork[] | undefined; export function parsePrivateNetworks(patterns: PrivateNetworkSource[] | undefined): PrivateNetwork[] | undefined;
export function parsePrivateNetworks(patterns: string[] | undefined): PrivateNetwork[] | undefined { export function parsePrivateNetworks(patterns: PrivateNetworkSource[] | undefined): PrivateNetwork[] | undefined {
return patterns?.map(e => { if (!patterns) return undefined;
const [ip, ports] = e.split('#') as [string, ...(string | undefined)[]]; return patterns
return { .map(e => {
cidr: ipaddr.parseCIDR(ip), if (typeof(e) === 'string') {
ports: ports?.split(',').map(p => parseInt(p)), const cidr = parseIpOrMask(e);
}; if (cidr) {
}); return { cidr } satisfies PrivateNetwork;
}
} else if (e.ip) {
const cidr = parseIpOrMask(e.ip);
if (cidr) {
return { cidr, ports: e.ports } satisfies PrivateNetwork;
}
}
console.warn('[config] Skipping invalid entry in allowedPrivateNetworks: ', e);
return null;
})
.filter(p => p != null);
}
function parseIpOrMask(ipOrMask: string): CIDR | null {
if (ipaddr.isValidCIDR(ipOrMask)) {
return ipaddr.parseCIDR(ipOrMask);
}
if (ipaddr.isValid(ipOrMask)) {
return ipaddr.parseCIDR(ipOrMask);
}
return null;
} }
export type Config = { export type Config = {