ClientIP: check every proxy for trustiness (#2844)
This commit is contained in:
parent
21125bbb3f
commit
5929d52171
39
context.go
39
context.go
@ -766,7 +766,7 @@ func (c *Context) ClientIP() string {
|
||||
|
||||
if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
|
||||
for _, headerName := range c.engine.RemoteIPHeaders {
|
||||
ip, valid := validateHeader(c.requestHeader(headerName))
|
||||
ip, valid := c.engine.validateHeader(c.requestHeader(headerName))
|
||||
if valid {
|
||||
return ip
|
||||
}
|
||||
@ -775,6 +775,17 @@ func (c *Context) ClientIP() string {
|
||||
return remoteIP.String()
|
||||
}
|
||||
|
||||
func (e *Engine) isTrustedProxy(ip net.IP) bool {
|
||||
if e.trustedCIDRs != nil {
|
||||
for _, cidr := range e.trustedCIDRs {
|
||||
if cidr.Contains(ip) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port).
|
||||
// It also checks if the remoteIP is a trusted proxy or not.
|
||||
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
|
||||
@ -789,35 +800,25 @@ func (c *Context) RemoteIP() (net.IP, bool) {
|
||||
return nil, false
|
||||
}
|
||||
|
||||
if c.engine.trustedCIDRs != nil {
|
||||
for _, cidr := range c.engine.trustedCIDRs {
|
||||
if cidr.Contains(remoteIP) {
|
||||
return remoteIP, true
|
||||
}
|
||||
}
|
||||
return remoteIP, c.engine.isTrustedProxy(remoteIP)
|
||||
}
|
||||
|
||||
return remoteIP, false
|
||||
}
|
||||
|
||||
func validateHeader(header string) (clientIP string, valid bool) {
|
||||
func (e *Engine) validateHeader(header string) (clientIP string, valid bool) {
|
||||
if header == "" {
|
||||
return "", false
|
||||
}
|
||||
items := strings.Split(header, ",")
|
||||
for i, ipStr := range items {
|
||||
ipStr = strings.TrimSpace(ipStr)
|
||||
for i := len(items) - 1; i >= 0; i-- {
|
||||
ipStr := strings.TrimSpace(items[i])
|
||||
ip := net.ParseIP(ipStr)
|
||||
if ip == nil {
|
||||
return "", false
|
||||
}
|
||||
|
||||
// We need to return the first IP in the list, but,
|
||||
// we should not early return since we need to validate that
|
||||
// the rest of the header is syntactically valid
|
||||
if i == 0 {
|
||||
clientIP = ipStr
|
||||
valid = true
|
||||
// X-Forwarded-For is appended by proxy
|
||||
// Check IPs in reverse order and stop when find untrusted proxy
|
||||
if (i == 0) || (!e.isTrustedProxy(ip)) {
|
||||
return ipStr, true
|
||||
}
|
||||
}
|
||||
return
|
||||
|
@ -1419,7 +1419,7 @@ func TestContextClientIP(t *testing.T) {
|
||||
|
||||
// Only trust RemoteAddr
|
||||
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40"})
|
||||
assert.Equal(t, "20.20.20.20", c.ClientIP())
|
||||
assert.Equal(t, "30.30.30.30", c.ClientIP())
|
||||
|
||||
// All steps are trusted
|
||||
_ = c.engine.SetTrustedProxies([]string{"40.40.40.40", "30.30.30.30", "20.20.20.20"})
|
||||
|
Loading…
Reference in New Issue
Block a user