ClientIP: check every proxy for trustiness (#2844)
This commit is contained in:
parent
21125bbb3f
commit
5929d52171
39
context.go
39
context.go
@ -766,7 +766,7 @@ func (c *Context) ClientIP() string {
|
|||||||
|
|
||||||
if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
|
if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
|
||||||
for _, headerName := range c.engine.RemoteIPHeaders {
|
for _, headerName := range c.engine.RemoteIPHeaders {
|
||||||
ip, valid := validateHeader(c.requestHeader(headerName))
|
ip, valid := c.engine.validateHeader(c.requestHeader(headerName))
|
||||||
if valid {
|
if valid {
|
||||||
return ip
|
return ip
|
||||||
}
|
}
|
||||||
@ -775,6 +775,17 @@ func (c *Context) ClientIP() string {
|
|||||||
return remoteIP.String()
|
return remoteIP.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (e *Engine) isTrustedProxy(ip net.IP) bool {
|
||||||
|
if e.trustedCIDRs != nil {
|
||||||
|
for _, cidr := range e.trustedCIDRs {
|
||||||
|
if cidr.Contains(ip) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port).
|
// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port).
|
||||||
// It also checks if the remoteIP is a trusted proxy or not.
|
// It also checks if the remoteIP is a trusted proxy or not.
|
||||||
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
|
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
|
||||||
@ -789,35 +800,25 @@ func (c *Context) RemoteIP() (net.IP, bool) {
|
|||||||
return nil, false
|
return nil, false
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.engine.trustedCIDRs != nil {
|
return remoteIP, c.engine.isTrustedProxy(remoteIP)
|
||||||
for _, cidr := range c.engine.trustedCIDRs {
|
|
||||||
if cidr.Contains(remoteIP) {
|
|
||||||
return remoteIP, true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return remoteIP, false
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateHeader(header string) (clientIP string, valid bool) {
|
func (e *Engine) validateHeader(header string) (clientIP string, valid bool) {
|
||||||
if header == "" {
|
if header == "" {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
items := strings.Split(header, ",")
|
items := strings.Split(header, ",")
|
||||||
for i, ipStr := range items {
|
for i := len(items) - 1; i >= 0; i-- {
|
||||||
ipStr = strings.TrimSpace(ipStr)
|
ipStr := strings.TrimSpace(items[i])
|
||||||
ip := net.ParseIP(ipStr)
|
ip := net.ParseIP(ipStr)
|
||||||
if ip == nil {
|
if ip == nil {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
// We need to return the first IP in the list, but,
|
// X-Forwarded-For is appended by proxy
|
||||||
// we should not early return since we need to validate that
|
// Check IPs in reverse order and stop when find untrusted proxy
|
||||||
// the rest of the header is syntactically valid
|
if (i == 0) || (!e.isTrustedProxy(ip)) {
|
||||||
if i == 0 {
|
return ipStr, true
|
||||||
clientIP = ipStr
|
|
||||||
valid = true
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
|
@ -1419,7 +1419,7 @@ func TestContextClientIP(t *testing.T) {
|
|||||||
|
|
||||||
// Only trust RemoteAddr
|
// Only trust RemoteAddr
|
||||||
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40"})
|
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40"})
|
||||||
assert.Equal(t, "20.20.20.20", c.ClientIP())
|
assert.Equal(t, "30.30.30.30", c.ClientIP())
|
||||||
|
|
||||||
// All steps are trusted
|
// All steps are trusted
|
||||||
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40", "30.30.30.30", "20.20.20.20"})
|
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40", "30.30.30.30", "20.20.20.20"})
|
||||||
|
Loading…
Reference in New Issue
Block a user