Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix client IP checked against trusted proxies #379

Closed
wants to merge 3 commits into from
Closed

fix client IP checked against trusted proxies #379

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4d97d85
fix client IP checked against trusted proxies
tuetenk0pp Jun 19, 2024
8d64da4
add blank line at end of file
tuetenk0pp Jun 19, 2024
fc47b48
add release notes
tuetenk0pp Jun 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 27 additions & 12 deletions src/util/validate-user.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,20 +34,35 @@ export function validateAuthHeader(req) {
return true;
}

let sender = proxyaddr(req, 'uniquelocal');
let sender_ip = ipaddr.process(sender);
// Retrieve all addresses except the last one
let proxies = proxyaddr.all(req, 'uniquelocal');
let client_ip = ipaddr.process(proxies[proxies.length - 1]); // Store client IP for later use
proxies.pop(); // Remove the last address, which is the client's address

const rangeList = {
allowed_ips: config.trustedProxies.map((q) => ipaddr.parseCIDR(q)),
};
/* eslint-disable @typescript-eslint/ban-ts-comment */
// @ts-ignore : there is an error in the ts definition for the function, but this is valid
var matched = ipaddr.subnetMatch(sender_ip, rangeList, 'fail');
/* eslint-enable @typescript-eslint/ban-ts-comment */
if (matched == 'allowed_ips') {
console.info(`Header Auth Login permitted from ${sender}`);
return true;
} else {
console.warn(`Header Auth Login attempted from ${sender}`);
return false;

// Check if all of the proxies are within the trusted range
for (let proxy of proxies) {
let proxy_ip = ipaddr.process(proxy);
/* eslint-disable @typescript-eslint/ban-ts-comment */
// @ts-ignore : there is an error in the ts definition for the function, but this is valid
var matched = ipaddr.subnetMatch(proxy_ip, rangeList, 'fail');
/* eslint-enable @typescript-eslint/ban-ts-comment */
if (matched != 'allowed_ips') {
console.warn(`blocked Header Auth Login attempt from ${proxy_ip}`);
console.info(`Client IP: ${client_ip}`);
return false;
}
}

// If all of the proxies matched the allowed IPs
let proxy_ips = [];
for (let proxy of proxies) {
proxy_ips.push(ipaddr.process(proxy));
}
console.info(`permitted Header Auth Login from ${proxy_ips.join(', ')}`);
console.info(`Client IP: ${client_ip}`);
return true;
}
6 changes: 6 additions & 0 deletions upcoming-release-notes/379.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
category: Bugfix
authors: [tuetenk0pp]
---

Fix client IP checked against trusted proxies.