From ec4a4dbe4117857231e39524b792025968dd1fc9 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Fri, 15 Oct 2021 15:56:14 +0200
Subject: [PATCH] btcpayserver: fix whitelist security issue

Whitelisting localhost implicitly whitelists all inbound onion
connections. This prevents banning misbehaving inbound onion peers
and enables message `mempool` which can cause privacy leaks.

Instead, grant `download` as the single bitcoind whitelist permission, which
should be safe for onion peers.
Remove liquidd whitelisting because it doesn't support fine-grained permissions.

After a cursory glance at the nbxplorer code I think that nbxplorer
requires none of the other default whitelist permissions (noban, mempool,
relay).
Details: https://github.com/dgarage/NBXplorer/issues/344
---
 modules/btcpayserver.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index cc959aa..4a95900 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -119,7 +119,7 @@ in {
       # Enable p2p connections
       listen = true;
       extraConfig = ''
-        whitelist=${nbLib.address cfg.nbxplorer.address}
+        whitelist=download@${nbLib.address cfg.nbxplorer.address}
       '';
     };
     services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
@@ -128,9 +128,6 @@ in {
       enable = true;
       # Enable p2p connections
       listen = true;
-      extraConfig = ''
-        whitelist=${nbLib.address cfg.nbxplorer.address}
-      '';
     };
 
     services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {