From 4d97d85f45d85ae5e2fa1ec3f2553527d8687582 Mon Sep 17 00:00:00 2001 From: Tuetenk0pp <55783419+Tuetenk0pp@users.noreply.github.com> Date: Wed, 19 Jun 2024 11:33:37 +0200 Subject: [PATCH 1/3] fix client IP checked against trusted proxies --- src/util/validate-user.js | 41 ++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/src/util/validate-user.js b/src/util/validate-user.js index 117fb779b..e500b647d 100644 --- a/src/util/validate-user.js +++ b/src/util/validate-user.js @@ -34,20 +34,35 @@ export function validateAuthHeader(req) { return true; } - let sender = proxyaddr(req, 'uniquelocal'); - let sender_ip = ipaddr.process(sender); + // Retrieve all addresses except the last one + let proxies = proxyaddr.all(req, 'uniquelocal'); + let client_ip = ipaddr.process(proxies[proxies.length - 1]); // Store client IP for later use + proxies.pop(); // Remove the last address, which is the client's address + const rangeList = { allowed_ips: config.trustedProxies.map((q) => ipaddr.parseCIDR(q)), }; - /* eslint-disable @typescript-eslint/ban-ts-comment */ - // @ts-ignore : there is an error in the ts definition for the function, but this is valid - var matched = ipaddr.subnetMatch(sender_ip, rangeList, 'fail'); - /* eslint-enable @typescript-eslint/ban-ts-comment */ - if (matched == 'allowed_ips') { - console.info(`Header Auth Login permitted from ${sender}`); - return true; - } else { - console.warn(`Header Auth Login attempted from ${sender}`); - return false; + + // Check if all of the proxies are within the trusted range + for (let proxy of proxies) { + let proxy_ip = ipaddr.process(proxy); + /* eslint-disable @typescript-eslint/ban-ts-comment */ + // @ts-ignore : there is an error in the ts definition for the function, but this is valid + var matched = ipaddr.subnetMatch(proxy_ip, rangeList, 'fail'); + /* eslint-enable @typescript-eslint/ban-ts-comment */ + if (matched != 'allowed_ips') { + console.warn(`blocked Header Auth Login attempt from ${proxy_ip}`); + console.info(`Client IP: ${client_ip}`); + return false; + } } -} + + // If all of the proxies matched the allowed IPs + let proxy_ips = []; + for (let proxy of proxies) { + proxy_ips.push(ipaddr.process(proxy)); + } + console.info(`permitted Header Auth Login from ${proxy_ips.join(', ')}`); + console.info(`Client IP: ${client_ip}`); + return true; +} \ No newline at end of file From 8d64da446e574a93a96bb1dfe5edab60dc5355c2 Mon Sep 17 00:00:00 2001 From: Tuetenk0pp <55783419+Tuetenk0pp@users.noreply.github.com> Date: Wed, 19 Jun 2024 11:40:53 +0200 Subject: [PATCH 2/3] add blank line at end of file --- src/util/validate-user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/validate-user.js b/src/util/validate-user.js index e500b647d..348fe8f6b 100644 --- a/src/util/validate-user.js +++ b/src/util/validate-user.js @@ -65,4 +65,4 @@ export function validateAuthHeader(req) { console.info(`permitted Header Auth Login from ${proxy_ips.join(', ')}`); console.info(`Client IP: ${client_ip}`); return true; -} \ No newline at end of file +} From fc47b48352a19be3f1d875cb7049bba341129960 Mon Sep 17 00:00:00 2001 From: Tuetenk0pp <55783419+Tuetenk0pp@users.noreply.github.com> Date: Wed, 19 Jun 2024 11:41:53 +0200 Subject: [PATCH 3/3] add release notes --- upcoming-release-notes/379.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 upcoming-release-notes/379.md diff --git a/upcoming-release-notes/379.md b/upcoming-release-notes/379.md new file mode 100644 index 000000000..44da44af1 --- /dev/null +++ b/upcoming-release-notes/379.md @@ -0,0 +1,6 @@ +--- +category: Bugfix +authors: [tuetenk0pp] +--- + +Fix client IP checked against trusted proxies.