Added support for CIDR address checking in UserAllowedIP setting.

This commit is contained in:
Ylian Saint-Hilaire 2019-01-04 15:29:27 -08:00
parent 3bc490b08e
commit 66b9e3ddb8
4 changed files with 9 additions and 10 deletions

View File

@ -252,6 +252,7 @@ function CreateMeshCentralServer(config, args) {
if (obj.args.mpsaliasport != null && (typeof obj.args.mpsaliasport != 'number')) obj.args.mpsaliasport = null; if (obj.args.mpsaliasport != null && (typeof obj.args.mpsaliasport != 'number')) obj.args.mpsaliasport = null;
if (obj.args.notls == null && obj.args.redirport == null) obj.args.redirport = 80; if (obj.args.notls == null && obj.args.redirport == null) obj.args.redirport = 80;
if (obj.args.minifycore === 0) obj.args.minifycore = false; if (obj.args.minifycore === 0) obj.args.minifycore = false;
if (typeof obj.args.userallowedip == 'string') { if (obj.args.userallowedip == '') { obj.args.userallowedip = null; } else { obj.args.userallowedip = obj.userallowedip.split(','); } }
if (typeof obj.args.debug == 'number') obj.debugLevel = obj.args.debug; if (typeof obj.args.debug == 'number') obj.debugLevel = obj.args.debug;
if (obj.args.debug == true) obj.debugLevel = 1; if (obj.args.debug == true) obj.debugLevel = 1;
obj.db = require('./db.js').CreateDB(obj); obj.db = require('./db.js').CreateDB(obj);

View File

@ -1,6 +1,6 @@
{ {
"name": "meshcentral", "name": "meshcentral",
"version": "0.2.5-q", "version": "0.2.5-r",
"keywords": [ "keywords": [
"Remote Management", "Remote Management",
"Intel AMT", "Intel AMT",
@ -35,6 +35,7 @@
"express-handlebars": "^3.0.0", "express-handlebars": "^3.0.0",
"express-session": "^1.15.6", "express-session": "^1.15.6",
"express-ws": "^4.0.0", "express-ws": "^4.0.0",
"ipcheck": "^0.1.0",
"meshcentral": "*", "meshcentral": "*",
"minimist": "^1.2.0", "minimist": "^1.2.0",
"multiparty": "^4.2.1", "multiparty": "^4.2.1",

View File

@ -31,6 +31,7 @@
"NewAccounts": 1, "NewAccounts": 1,
"Footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>", "Footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>",
"_CertUrl": "https://192.168.2.106:443/", "_CertUrl": "https://192.168.2.106:443/",
"_UserAllowedIP": "127.0.0.1,192.168.1.0/24",
"_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1 } "_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1 }
}, },
"customer1": { "customer1": {

View File

@ -292,8 +292,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (req.connection) { type = 1; ip = req.ip; } // HTTP(S) request if (req.connection) { type = 1; ip = req.ip; } // HTTP(S) request
else if (req._socket) { type = 2; ip = req._socket.remoteAddress; } // WebSocket request else if (req._socket) { type = 2; ip = req._socket.remoteAddress; } // WebSocket request
if (!ip) return false; if (!ip) return false;
if (ip.startsWith('::ffff:')) { ip = ip.substring(7); } // Fix IPv4 IP's encoded in IPv6 form for (var i = 0; i < allowedIpList.length; i++) { if (require('ipcheck').match(ip, allowedIpList[i])) { return true; } }
if ((ip != null) && (allowedIpList.indexOf(ip) >= 0)) { return true; }
if (type == 1) { res.sendStatus(401); } if (type == 1) { res.sendStatus(401); }
else if (type == 2) { try { req.close(); } catch (e) { } } else if (type == 2) { try { req.close(); } catch (e) { } }
} catch (e) { console.log(e); } } catch (e) { console.log(e); }
@ -302,15 +301,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Check if the source IP address is allowed, return domain if allowed // Check if the source IP address is allowed, return domain if allowed
function checkUserIpAddress(req, res, rootonly) { function checkUserIpAddress(req, res, rootonly) {
if (obj.userAllowedIp != null) { if ((obj.userAllowedIp != null) && (checkUserIpAddressEx(req, res, obj.userAllowedIp) == false)) { return null; }
if (typeof obj.userAllowedIp == 'string') { if (obj.userAllowedIp == "") { obj.userAllowedIp = null; return true; } else { obj.userAllowedIp = obj.userAllowedIp.split(','); } } if (rootonly == true) { return; }
if (checkUserIpAddressEx(req, res, obj.userAllowedIp) == false) return null;
}
if (rootonly == true) return;
var domain; var domain;
if (req.url) { domain = getDomain(req); } else { domain = getDomain(res); } if (req.url) { domain = getDomain(req); } else { domain = getDomain(res); }
if (domain.userallowedip == null) return domain; if (domain.userallowedip == null) return domain;
if (checkUserIpAddressEx(req, res, domain.userallowedip) == false) return null; if (checkUserIpAddressEx(req, res, domain.userallowedip) == false) { return null; }
return domain; return domain;
} }
@ -321,7 +317,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
var x = req.url.split('/'); var x = req.url.split('/');
if (x.length < 2) return parent.config.domains['']; if (x.length < 2) return parent.config.domains[''];
var y = parent.config.domains[x[1].toLowerCase()]; var y = parent.config.domains[x[1].toLowerCase()];
if ((y != null) && (y.dns == null)) return parent.config.domains[x[1].toLowerCase()]; if ((y != null) && (y.dns == null)) { return parent.config.domains[x[1].toLowerCase()]; }
return parent.config.domains['']; return parent.config.domains[''];
} }