When doing session IP address checkingin default 'lax' mode, if both addresses are private/loopback, it's now accepted as a match.

This commit is contained in:
Ylian Saint-Hilaire 2022-07-28 15:12:28 -07:00
parent 2229237470
commit c8d8fc422c
1 changed files with 28 additions and 1 deletions

View File

@ -8539,11 +8539,38 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
for (var i in webRelaySessions) { webRelaySessions[i].checkTimeout(); } for (var i in webRelaySessions) { webRelaySessions[i].checkTimeout(); }
} }
// Return true if this is a private IP address
function isPrivateAddress(ip_addr) {
// If this is a loopback address, return true
if ((ip_addr == '127.0.0.1') || (ip_addr == '::1')) return true;
// Check IPv4 private addresses
const ipcheck = require('ipcheck');
const IPv4PrivateRanges = ['0.0.0.0/8', '10.0.0.0/8', '100.64.0.0/10', '127.0.0.0/8', '169.254.0.0/16', '172.16.0.0/12', '192.0.0.0/24', '192.0.0.0/29', '192.0.0.8/32', '192.0.0.9/32', '192.0.0.10/32', '192.0.0.170/32', '192.0.0.171/32', '192.0.2.0/24', '192.31.196.0/24', '192.52.193.0/24', '192.88.99.0/24', '192.168.0.0/16', '192.175.48.0/24', '198.18.0.0/15', '198.51.100.0/24', '203.0.113.0/24', '240.0.0.0/4', '255.255.255.255/32']
for (var i in IPv4PrivateRanges) { if (ipcheck.match(ip_addr, IPv4PrivateRanges[i])) return true; }
// Check IPv6 private addresses
return /^::$/.test(ip_addr) ||
/^::1$/.test(ip_addr) ||
/^::f{4}:([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip_addr) ||
/^::f{4}:0.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip_addr) ||
/^64:ff9b::([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip_addr) ||
/^100::([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) ||
/^2001::([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) ||
/^2001:2[0-9a-fA-F]:([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) ||
/^2001:db8:([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) ||
/^2002:([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) ||
/^f[c-d]([0-9a-fA-F]{2,2}):/i.test(ip_addr) ||
/^fe[8-9a-bA-B][0-9a-fA-F]:/i.test(ip_addr) ||
/^ff([0-9a-fA-F]{2,2}):/i.test(ip_addr)
}
// Check that a cookie IP is within the correct range depending on the active policy // Check that a cookie IP is within the correct range depending on the active policy
function checkCookieIp(cookieip, ip) { function checkCookieIp(cookieip, ip) {
if (obj.args.cookieipcheck == 'none') return true; // 'none' - No IP address checking if (obj.args.cookieipcheck == 'none') return true; // 'none' - No IP address checking
if (obj.args.cookieipcheck == 'strict') return (cookieip == ip); // 'strict' - Strict IP address checking, this can cause issues with HTTP proxies or load-balancers. if (obj.args.cookieipcheck == 'strict') return (cookieip == ip); // 'strict' - Strict IP address checking, this can cause issues with HTTP proxies or load-balancers.
return require('ipcheck').match(cookieip, ip + '/24'); // 'lax' - IP address need to be in the some range if (require('ipcheck').match(cookieip, ip + '/24')) return true; // 'lax' - IP address need to be in the some range
return (isPrivateAddress(cookieip) && isPrivateAddress(ip)); // 'lax' - If both IP addresses are private or loopback, accept it. This is needed because sometimes browsers will resolve IP addresses oddly on private networks.
} }
// Takes a formating string like "this {{{a}}} is an {{{b}}} example" and fills the a and b with input o.a and o.b // Takes a formating string like "this {{{a}}} is an {{{b}}} example" and fills the a and b with input o.a and o.b