From 4e47681e7b3bb92fad73660832eb91a62e148f87 Mon Sep 17 00:00:00 2001 From: Matthew Draper Date: Sun, 12 Apr 2015 08:29:28 +0930 Subject: [PATCH] Always apply Web Console's stricter whitelist to remote IPs --- lib/web_console/request.rb | 21 ++++++++++++++++++++- test/web_console/request_test.rb | 24 ++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/lib/web_console/request.rb b/lib/web_console/request.rb index f48aec6..d7a8a72 100644 --- a/lib/web_console/request.rb +++ b/lib/web_console/request.rb @@ -15,7 +15,12 @@ module WebConsole # For a request to hit Web Console features, it needs to come from a white # listed IP. def from_whitelited_ip? - whitelisted_ips.include?(remote_ip) + whitelisted_ips.include?(strict_remote_ip) + end + + # Determines the remote IP using our much stricter whitelist. + def strict_remote_ip + GetSecureIp.new(env, whitelisted_ips).to_s end # Returns whether the request is from an acceptable content type. @@ -26,5 +31,19 @@ module WebConsole def acceptable_content_type? content_type.blank? || content_type.in?(acceptable_content_types) end + + class GetSecureIp < ActionDispatch::RemoteIp::GetIp + def initialize(env, proxies) + @env = env + @check_ip = true + @proxies = proxies + end + + def filter_proxies(ips) + ips.reject do |ip| + @proxies.include?(ip) + end + end + end end end diff --git a/test/web_console/request_test.rb b/test/web_console/request_test.rb index 93b466b..3fd953a 100644 --- a/test/web_console/request_test.rb +++ b/test/web_console/request_test.rb @@ -18,6 +18,30 @@ module WebConsole assert req.from_whitelited_ip? end + test '#from_whitelisted_ip? is truthy for whitelisted IPs via whitelisted proxies' do + req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0') + + assert req.from_whitelited_ip? + end + + test '#from_whitelisted_ip? is falsy for blacklisted IPs via whitelisted proxies' do + req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '0.0.0.0') + + assert_not req.from_whitelited_ip? + end + + test '#from_whitelisted_ip? is falsy for lying blacklisted IPs via whitelisted proxies' do + req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '10.0.0.0, 127.0.0.0') + + assert_not req.from_whitelited_ip? + end + + test '#from_whitelisted_ip? is falsy for whitelisted IPs via blacklisted proxies' do + req = request('http://example.com', 'REMOTE_ADDR' => '10.0.0.0', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0') + + assert_not req.from_whitelited_ip? + end + test '#acceptable_content_type? is truthy for explicit HTML content type' do html = request('http://example.com', 'CONTENT_TYPE' => 'text/html') xhtml = request('http://example.com', 'CONTENT_TYPE' => 'application/xhtml+xml') -- 2.3.2 (Apple Git-55)