Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

refactor: ip blacklist.test

Browse Source 
also dont call ipaddr.parse if cidr rules is empty
add a test for cidr
This commit is contained in:
Barış Soner Uşaklı
2023-08-02 12:52:46 -04:00
parent 3b125ba27e
commit 38c0c8dec0
2 changed files with 41 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
src/meta/blacklist.js
View File

@@ -44,48 +44,49 @@ Blacklist.get = async function () {
}; };
Blacklist.test = async function (clientIp) { Blacklist.test = async function (clientIp) {
// Some handy test addresses
// clientIp = '2001:db8:85a3:0:0:8a2e:370:7334'; // IPv6
// clientIp = '127.0.15.1'; // IPv4
// clientIp = '127.0.15.1:3443'; // IPv4 with port strip port to not fail
if (!clientIp) { if (!clientIp) {
return; return;
} }
clientIp = clientIp.split(':').length === 2 ? clientIp.split(':')[0] : clientIp; clientIp = clientIp.split(':').length === 2 ? clientIp.split(':')[0] : clientIp;
let addr; const rules = Blacklist._rules;
try { function checkCidrRange(clientIP) {
addr = ipaddr.parse(clientIp); if (!rules.cidr.length) {
} catch (err) { return false;
winston.error(`[meta/blacklist] Error parsing client IP : ${clientIp}`); }
throw err; let addr;
} try {
addr = ipaddr.parse(clientIP);
if ( } catch (err) {
!Blacklist._rules.ipv4.includes(clientIp) && // not explicitly specified in ipv4 list winston.error(`[meta/blacklist] Error parsing client IP : ${clientIp}`);
!Blacklist._rules.ipv6.includes(clientIp) && // not explicitly specified in ipv6 list throw err;
!Blacklist._rules.cidr.some((subnet) => { }
return rules.cidr.some((subnet) => {
const cidr = ipaddr.parseCIDR(subnet); const cidr = ipaddr.parseCIDR(subnet);
if (addr.kind() !== cidr[0].kind()) { if (addr.kind() !== cidr[0].kind()) {
return false; return false;
} }
return addr.match(cidr); return addr.match(cidr);
}) // not in a blacklisted IPv4 or IPv6 cidr range });
) { }
try {
// To return test failure, pass back an error in callback if (rules.ipv4.includes(clientIp) ||
await plugins.hooks.fire('filter:blacklist.test', { ip: clientIp }); rules.ipv6.includes(clientIp) ||
} catch (err) { checkCidrRange(clientIp)) {
analytics.increment('blacklist');
throw err;
}
} else {
const err = new Error('[[error:blacklisted-ip]]'); const err = new Error('[[error:blacklisted-ip]]');
err.code = 'blacklisted-ip'; err.code = 'blacklisted-ip';
analytics.increment('blacklist'); analytics.increment('blacklist');
throw err; throw err;
} }
try {
// To return test failure, throw an error in hook
await plugins.hooks.fire('filter:blacklist.test', { ip: clientIp });
} catch (err) {
analytics.increment('blacklist');
throw err;
}
}; };
Blacklist.validate = function (rules) { Blacklist.validate = function (rules) {

14
test/blacklist.js
View File

@@ -59,10 +59,24 @@ describe('blacklist', () => {
}); });
}); });
it('should fail ip test against blacklist with port', (done) => {
blacklist.test('1.1.1.1:4567', (err) => {
assert.equal(err.message, '[[error:blacklisted-ip]]');
done();
});
});
it('should pass ip test and not crash with ipv6 address', (done) => { it('should pass ip test and not crash with ipv6 address', (done) => {
blacklist.test('2001:db8:85a3:0:0:8a2e:370:7334', (err) => { blacklist.test('2001:db8:85a3:0:0:8a2e:370:7334', (err) => {
assert.ifError(err); assert.ifError(err);
done(); done();
}); });
}); });
it('should fail ip test due to cidr', (done) => {
blacklist.test('192.168.100.1', (err) => {
assert.equal(err.message, '[[error:blacklisted-ip]]');
done();
});
});
}); });