From 9e520998bda943be7ed00be3b1c63afa90fb267f Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Fri, 4 Jan 2019 15:29:27 -0800
Subject: [PATCH] Added support for CIDR address checking in UserAllowedIP
 setting.

---
 meshcentral.js     |  1 +
 package.json       |  3 ++-
 sample-config.json |  1 +
 webserver.js       | 14 +++++---------
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/meshcentral.js b/meshcentral.js
index c8f097cc..aabdb753 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -252,6 +252,7 @@ function CreateMeshCentralServer(config, args) {
         if (obj.args.mpsaliasport != null && (typeof obj.args.mpsaliasport != 'number')) obj.args.mpsaliasport = null;
         if (obj.args.notls == null && obj.args.redirport == null) obj.args.redirport = 80;
         if (obj.args.minifycore === 0) obj.args.minifycore = false;
+        if (typeof obj.args.userallowedip == 'string') { if (obj.args.userallowedip == '') { obj.args.userallowedip = null; } else { obj.args.userallowedip = obj.userallowedip.split(','); } }
         if (typeof obj.args.debug == 'number') obj.debugLevel = obj.args.debug;
         if (obj.args.debug == true) obj.debugLevel = 1;
         obj.db = require('./db.js').CreateDB(obj);
diff --git a/package.json b/package.json
index 938ddadb..873a3ef3 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.2.5-q",
+  "version": "0.2.5-r",
   "keywords": [
     "Remote Management",
     "Intel AMT",
@@ -35,6 +35,7 @@
     "express-handlebars": "^3.0.0",
     "express-session": "^1.15.6",
     "express-ws": "^4.0.0",
+    "ipcheck": "^0.1.0",
     "meshcentral": "*",
     "minimist": "^1.2.0",
     "multiparty": "^4.2.1",
diff --git a/sample-config.json b/sample-config.json
index b3d12000..0771250c 100644
--- a/sample-config.json
+++ b/sample-config.json
@@ -31,6 +31,7 @@
       "NewAccounts": 1,
       "Footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>",
       "_CertUrl": "https://192.168.2.106:443/",
+      "_UserAllowedIP": "127.0.0.1,192.168.1.0/24",
       "_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1 }
     },
     "customer1": {
diff --git a/webserver.js b/webserver.js
index 861f87f0..f4fcae9a 100644
--- a/webserver.js
+++ b/webserver.js
@@ -292,8 +292,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             if (req.connection) { type = 1; ip = req.ip; } // HTTP(S) request
             else if (req._socket) { type = 2; ip = req._socket.remoteAddress; } // WebSocket request
             if (!ip) return false;
-            if (ip.startsWith('::ffff:')) { ip = ip.substring(7); } // Fix IPv4 IP's encoded in IPv6 form
-            if ((ip != null) && (allowedIpList.indexOf(ip) >= 0)) { return true; }
+            for (var i = 0; i < allowedIpList.length; i++) { if (require('ipcheck').match(ip, allowedIpList[i])) { return true; } }
             if (type == 1) { res.sendStatus(401); }
             else if (type == 2) { try { req.close(); } catch (e) { } }
         } catch (e) { console.log(e); }
@@ -302,15 +301,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
 
     // Check if the source IP address is allowed, return domain if allowed
     function checkUserIpAddress(req, res, rootonly) {
-        if (obj.userAllowedIp != null) {
-            if (typeof obj.userAllowedIp == 'string') { if (obj.userAllowedIp == "") { obj.userAllowedIp = null; return true; } else { obj.userAllowedIp = obj.userAllowedIp.split(','); } }
-            if (checkUserIpAddressEx(req, res, obj.userAllowedIp) == false) return null;
-        }
-        if (rootonly == true) return;
+        if ((obj.userAllowedIp != null) && (checkUserIpAddressEx(req, res, obj.userAllowedIp) == false)) { return null; }
+        if (rootonly == true) { return; }
         var domain;
         if (req.url) { domain = getDomain(req); } else { domain = getDomain(res); }
         if (domain.userallowedip == null) return domain;
-        if (checkUserIpAddressEx(req, res, domain.userallowedip) == false) return null;
+        if (checkUserIpAddressEx(req, res, domain.userallowedip) == false) { return null; }
         return domain;
     }
 
@@ -321,7 +317,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         var x = req.url.split('/');
         if (x.length < 2) return parent.config.domains[''];
         var y = parent.config.domains[x[1].toLowerCase()];
-        if ((y != null) && (y.dns == null)) return parent.config.domains[x[1].toLowerCase()];
+        if ((y != null) && (y.dns == null)) { return parent.config.domains[x[1].toLowerCase()]; }
         return parent.config.domains[''];
     }