ClientIP: check every proxy for trustiness (#2844)

This commit is contained in:
Egor Seredin 2021-10-09 09:38:51 +09:00 committed by GitHub
parent 21125bbb3f
commit 5929d52171
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 20 deletions

View File

@ -766,7 +766,7 @@ func (c *Context) ClientIP() string {
if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil { if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
for _, headerName := range c.engine.RemoteIPHeaders { for _, headerName := range c.engine.RemoteIPHeaders {
ip, valid := validateHeader(c.requestHeader(headerName)) ip, valid := c.engine.validateHeader(c.requestHeader(headerName))
if valid { if valid {
return ip return ip
} }
@ -775,6 +775,17 @@ func (c *Context) ClientIP() string {
return remoteIP.String() return remoteIP.String()
} }
func (e *Engine) isTrustedProxy(ip net.IP) bool {
if e.trustedCIDRs != nil {
for _, cidr := range e.trustedCIDRs {
if cidr.Contains(ip) {
return true
}
}
}
return false
}
// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port). // RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port).
// It also checks if the remoteIP is a trusted proxy or not. // It also checks if the remoteIP is a trusted proxy or not.
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks // In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
@ -789,35 +800,25 @@ func (c *Context) RemoteIP() (net.IP, bool) {
return nil, false return nil, false
} }
if c.engine.trustedCIDRs != nil { return remoteIP, c.engine.isTrustedProxy(remoteIP)
for _, cidr := range c.engine.trustedCIDRs {
if cidr.Contains(remoteIP) {
return remoteIP, true
}
}
} }
return remoteIP, false func (e *Engine) validateHeader(header string) (clientIP string, valid bool) {
}
func validateHeader(header string) (clientIP string, valid bool) {
if header == "" { if header == "" {
return "", false return "", false
} }
items := strings.Split(header, ",") items := strings.Split(header, ",")
for i, ipStr := range items { for i := len(items) - 1; i >= 0; i-- {
ipStr = strings.TrimSpace(ipStr) ipStr := strings.TrimSpace(items[i])
ip := net.ParseIP(ipStr) ip := net.ParseIP(ipStr)
if ip == nil { if ip == nil {
return "", false return "", false
} }
// We need to return the first IP in the list, but, // X-Forwarded-For is appended by proxy
// we should not early return since we need to validate that // Check IPs in reverse order and stop when find untrusted proxy
// the rest of the header is syntactically valid if (i == 0) || (!e.isTrustedProxy(ip)) {
if i == 0 { return ipStr, true
clientIP = ipStr
valid = true
} }
} }
return return

View File

@ -1419,7 +1419,7 @@ func TestContextClientIP(t *testing.T) {
// Only trust RemoteAddr // Only trust RemoteAddr
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40"}) _ = c.engine.SetTrustedProxies([]string{"40.40.40.40"})
assert.Equal(t, "20.20.20.20", c.ClientIP()) assert.Equal(t, "30.30.30.30", c.ClientIP())
// All steps are trusted // All steps are trusted
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40", "30.30.30.30", "20.20.20.20"}) _ = c.engine.SetTrustedProxies([]string{"40.40.40.40", "30.30.30.30", "20.20.20.20"})