diff options
| author | Smolyakov <[email protected]> | 2019-09-01 15:36:42 +0300 |
|---|---|---|
| committer | Smolyakov <[email protected]> | 2019-09-01 15:36:42 +0300 |
| commit | 488a9774636ece92e730a41092403410910d566f (patch) | |
| tree | ed1138e5f2af51089650f16fde471738ca06565e | |
| parent | 49e002c11e5cc915d80efa58611f4c4a72de7bb2 (diff) | |
Use last IP address from X-Forwarded-For without validation of trusty
| -rw-r--r-- | service/http/config.go | 8 | ||||
| -rw-r--r-- | service/http/config_test.go | 37 | ||||
| -rw-r--r-- | service/http/handler.go | 11 | ||||
| -rw-r--r-- | service/http/handler_test.go | 2 |
4 files changed, 54 insertions, 4 deletions
diff --git a/service/http/config.go b/service/http/config.go index ff15e83e..25be205c 100644 --- a/service/http/config.go +++ b/service/http/config.go @@ -189,6 +189,14 @@ func (c *Config) IsTrusted(ip string) bool { return false } +func (c *Config) IsValid(ip string) bool { + i := net.ParseIP(ip) + if i == nil { + return false + } + return true +} + // Valid validates the configuration. func (c *Config) Valid() error { if c.Uploads == nil { diff --git a/service/http/config_test.go b/service/http/config_test.go index d8b92247..800c87ce 100644 --- a/service/http/config_test.go +++ b/service/http/config_test.go @@ -83,6 +83,43 @@ func Test_Trusted_Subnets(t *testing.T) { assert.False(t, cfg.IsTrusted("127.0.0.0.1")) } +func TestConfig_IsValid(t *testing.T) { + + cfg := &Config{ + Address: ":8080", + MaxRequestSize: 1024, + Uploads: &UploadsConfig{ + Dir: os.TempDir(), + Forbid: []string{".go"}, + }, + HTTP2: &HTTP2Config{ + Enabled: true, + }, + TrustedSubnets: []string{"200.1.0.0/16"}, + Workers: &roadrunner.ServerConfig{ + Command: "php tests/client.php echo pipes", + Relay: "pipes", + Pool: &roadrunner.Config{ + NumWorkers: 1, + AllocateTimeout: time.Second, + DestroyTimeout: time.Second, + }, + }, + } + + ip6 := "FE80::0202:B3FF:FE1E:8329" + ip4 := "127.0.0.1" + + assert.True(t, cfg.IsValid(ip4)) + assert.True(t, cfg.IsValid(ip6)) + + ip4Invalid := "127.0.0.0.1" + ip6Invalid := "FE80::0202::B3FF:FE1E:8329" // Can only use :: once in an address + + assert.False(t, cfg.IsValid(ip4Invalid)) + assert.False(t, cfg.IsValid(ip6Invalid)) +} + func Test_Trusted_Subnets_Err(t *testing.T) { cfg := &Config{ Address: ":8080", diff --git a/service/http/handler.go b/service/http/handler.go index 254f5ca6..19179b72 100644 --- a/service/http/handler.go +++ b/service/http/handler.go @@ -152,12 +152,17 @@ func (h *Handler) resolveIP(r *Request) { } if r.Header.Get("X-Forwarded-For") != "" { - for _, addr := range strings.Split(r.Header.Get("X-Forwarded-For"), ",") { - addr = strings.TrimSpace(addr) - if h.cfg.IsTrusted(addr) { + ips := strings.Split(r.Header.Get("X-Forwarded-For"), ",") + ipCount := len(ips) + + for i := ipCount - 1; i >= 0; i-- { + addr := strings.TrimSpace(ips[i]) + if h.cfg.IsValid(addr) { r.RemoteAddr = addr + return } } + return } diff --git a/service/http/handler_test.go b/service/http/handler_test.go index 95077da6..52386abb 100644 --- a/service/http/handler_test.go +++ b/service/http/handler_test.go @@ -1345,7 +1345,7 @@ func TestHandler_XForwardedFor(t *testing.T) { assert.NoError(t, err) assert.Equal(t, 200, r.StatusCode) - assert.Equal(t, "200.0.0.1", body) + assert.Equal(t, "101.0.0.1", body) } func BenchmarkHandler_Listen_Echo(b *testing.B) { |