From 9062cd652a060fa9772fc4bae4cc683d67f4ad0d Mon Sep 17 00:00:00 2001 From: pitboss Date: Fri, 22 May 2026 08:52:23 -0500 Subject: [PATCH] [pitboss/grind] cleanup session-0028 (20260522T043516Z-29b8) --- docs/serve.md | 6 +++--- src/cfg/mod.rs | 7 ------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/docs/serve.md b/docs/serve.md index 038e97ee..61f014e6 100644 --- a/docs/serve.md +++ b/docs/serve.md @@ -25,10 +25,10 @@ There is **no** account, no telemetry, no remote logging, no auto-update ping. T ## Security model -`nyx serve` enforces three things at the HTTP layer ([`src/server/security.rs`](https://github.com/elicpeter/nyx/blob/master/src/server/security.rs)): +`nyx serve` enforces three things: -1. **Loopback bind only.** `--host` and `[server].host` are clamped to `127.0.0.1`, `localhost`, or `::1`. Any other value is refused at startup with `Nyx serve only binds to loopback addresses; refused host ''`. -2. **Host-header check.** Every request must carry a `Host` header that matches the bound address and port. Missing or mismatched headers get a `400 invalid Host header`. Defends against DNS rebinding. +1. **Loopback bind only.** `--host` and `[server].host` are clamped to `127.0.0.1`, `localhost`, or `::1`. Any other value is refused at startup with `Nyx serve only binds to loopback addresses; refused host ''` ([`src/commands/serve.rs`](https://github.com/elicpeter/nyx/blob/master/src/commands/serve.rs)). +2. **Host-header check.** Every request must carry a `Host` header that matches the bound address and port. Missing or mismatched headers get a `400 invalid Host header`. Defends against DNS rebinding ([`src/server/security.rs`](https://github.com/elicpeter/nyx/blob/master/src/server/security.rs)). 3. **CSRF on mutations.** `POST` / `PUT` / `PATCH` / `DELETE` requests must carry a per-process CSRF token in the `x-nyx-csrf` header. The token is generated once when the server starts and exposed at `GET /api/health` so the embedded SPA can read it. Cross-origin mutations are rejected before the CSRF check via the `Origin` header. If you forward the port over SSH or expose it through a reverse proxy, the host-header check will reject the request because the `Host` won't match `localhost:9700`. That's the intended behaviour. Don't do this without a deliberate reason; the loopback bind is part of the security model. diff --git a/src/cfg/mod.rs b/src/cfg/mod.rs index 7c20df9e..d541e60c 100644 --- a/src/cfg/mod.rs +++ b/src/cfg/mod.rs @@ -791,10 +791,7 @@ impl NodeInfo { /// lose information. #[derive(Debug, Clone)] pub struct LocalFuncSummary { - #[allow(dead_code)] // used for future intra-file graph traversal pub entry: NodeIndex, - #[allow(dead_code)] // used for future intra-file graph traversal - pub exit: NodeIndex, pub source_caps: Cap, pub sanitizer_caps: Cap, pub sink_caps: Cap, @@ -901,7 +898,6 @@ pub struct BodyCfg { pub meta: BodyMeta, pub graph: Cfg, pub entry: NodeIndex, - pub exit: NodeIndex, } /// A single import alias binding: local alias → original exported name + module. @@ -5789,7 +5785,6 @@ pub(super) fn build_sub<'a>( key, LocalFuncSummary { entry: fn_entry, - exit: fn_exit, source_caps: fn_src_bits, sanitizer_caps: fn_sani_bits, sink_caps: fn_sink_bits, @@ -5839,7 +5834,6 @@ pub(super) fn build_sub<'a>( }, graph: fn_graph, entry: fn_entry, - exit: fn_exit, }); // ── 7) Insert placeholder in parent graph ───────────────────────── @@ -6428,7 +6422,6 @@ pub(crate) fn build_cfg<'a>( }, graph: g, entry, - exit, }; bodies.insert(0, toplevel); // Sort by BodyId so that bodies[i].meta.id == BodyId(i).