feat: #11868 apply blacklist to routes (#11873)

api and regular routes
dont allow blacklisting self ip
check blacklist on socket emits

public/language/en-GB/error.json

@@ -62,6 +62,7 @@
 	"user-banned-reason-until": "Sorry, this account has been banned until %1 (Reason: %2)",
 	"user-too-new": "Sorry, you are required to wait %1 second(s) before making your first post",
 	"blacklisted-ip": "Sorry, your IP address has been banned from this community. If you feel this is in error, please contact an administrator.",
+	"cant-blacklist-self-ip": "You can't blacklist your own IP",
 	"ban-expiry-missing": "Please provide an end date for this ban",
 
 	"no-category": "Category does not exist",

src/meta/blacklist.js

@@ -38,6 +38,16 @@ Blacklist.save = async function (rules) {
 	pubsub.publish('blacklist:reload');
 };
 
+Blacklist.addRule = async function (rule) {
+	const { valid } = Blacklist.validate(rule);
+	if (!valid.length) {
+		throw new Error('[[error:invalid-rule]]');
+	}
+	let rules = await Blacklist.get();
+	rules = `${rules}\n${valid[0]}`;
+	await Blacklist.save(rules);
+};
+
 Blacklist.get = async function () {
 	const data = await db.getObject('ip-blacklist-rules');
 	return data && data.rules;
@@ -165,12 +175,4 @@ Blacklist.validate = function (rules) {
 	};
 };
 
-Blacklist.addRule = async function (rule) {
+
-	const { valid } = Blacklist.validate(rule);
-	if (!valid.length) {
-		throw new Error('[[error:invalid-rule]]');
-	}
-	let rules = await Blacklist.get();
-	rules = `${rules}\n${valid[0]}`;
-	await Blacklist.save(rules);
-};

src/routes/helpers.js

@@ -16,6 +16,7 @@ helpers.setupPageRoute = function (...args) {
 	}
 
 	middlewares = [
+		middleware.applyBlacklist,
 		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,
@@ -53,6 +54,7 @@ helpers.setupApiRoute = function (...args) {
 	const controller = args[args.length - 1];
 
 	middlewares = [
+		middleware.applyBlacklist,
 		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,

src/socket.io/blacklist.js

@@ -24,6 +24,10 @@ async function blacklist(socket, method, rule) {
 	if (!isAdminOrGlobalMod) {
 		throw new Error('[[error:no-privileges]]');
 	}
+	if (socket.ip && rule.includes(socket.ip)) {
+		throw new Error('[[error:cant-blacklist-self-ip]]');
+	}
+
 	await meta.blacklist[method](rule);
 	await events.log({
 		type: `ip-blacklist-${method}`,

src/socket.io/index.js

@@ -12,6 +12,7 @@ const user = require('../user');
 const logger = require('../logger');
 const plugins = require('../plugins');
 const ratelimit = require('../middleware/ratelimit');
+const blacklist = require('../meta/blacklist');
 
 const Namespaces = Object.create(null);
 
@@ -178,6 +179,7 @@ async function onMessage(socket, payload) {
 			return socket.disconnect();
 		}
 
+		await blacklist.test(socket.ip);
 		await checkMaintenance(socket);
 		await validateSession(socket, '[[error:revalidate-failure]]');