From 1159abf9ec8f33328d0bb61a99b6f61bcab74aa2 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Fri, 18 Aug 2017 15:05:49 -0400 Subject: [PATCH] fixes #5879 --- package.json | 1 + src/meta/blacklist.js | 20 +++++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 6fa914da46..148c7c4ac2 100644 --- a/package.json +++ b/package.json @@ -41,6 +41,7 @@ "express-useragent": "1.0.7", "html-to-text": "3.3.0", "ip": "1.1.5", + "ip-range-check": "^0.0.2", "jimp": "0.2.28", "jquery": "^3.1.0", "json-2-csv": "^2.0.22", diff --git a/src/meta/blacklist.js b/src/meta/blacklist.js index 1ef6cfe0a9..80f3ca1190 100644 --- a/src/meta/blacklist.js +++ b/src/meta/blacklist.js @@ -1,6 +1,7 @@ 'use strict'; var ip = require('ip'); +var ipRangeCheck = require('ip-range-check'); var winston = require('winston'); var async = require('async'); @@ -27,6 +28,7 @@ Blacklist.load = function (callback) { ipv4: rules.ipv4, ipv6: rules.ipv6, cidr: rules.cidr, + cidr6: rules.cidr6, }; next(); }, @@ -53,11 +55,12 @@ Blacklist.get = function (callback) { Blacklist.test = function (clientIp, callback) { if ( - Blacklist._rules.ipv4.indexOf(clientIp) === -1 &&// not explicitly specified in ipv4 list - Blacklist._rules.ipv6.indexOf(clientIp) === -1 &&// not explicitly specified in ipv6 list + Blacklist._rules.ipv4.indexOf(clientIp) === -1 && // not explicitly specified in ipv4 list + Blacklist._rules.ipv6.indexOf(clientIp) === -1 && // not explicitly specified in ipv6 list !Blacklist._rules.cidr.some(function (subnet) { return ip.cidrSubnet(subnet).contains(clientIp); - }) // not in a blacklisted cidr range + }) && // not in a blacklisted IPv4 cidr range + !ipRangeCheck(clientIp, Blacklist._rules.cidr6) // not in a blacklisted IPv6 cidr range ) { if (typeof callback === 'function') { setImmediate(callback); @@ -81,9 +84,11 @@ Blacklist.validate = function (rules, callback) { var ipv4 = []; var ipv6 = []; var cidr = []; + var cidr6 = []; var invalid = []; - var isCidrSubnet = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$/; + var isIPv4CidrSubnet = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$/; + var isIPv6CidrSubnet = /^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/; var inlineCommentMatch = /#.*$/; var whitelist = ['127.0.0.1', '::1', '::ffff:0:127.0.0.1']; @@ -109,7 +114,11 @@ Blacklist.validate = function (rules, callback) { ipv6.push(rule); return true; } - if (isCidrSubnet.test(rule)) { + if (isIPv4CidrSubnet.test(rule)) { + cidr.push(rule); + return true; + } + if (isIPv6CidrSubnet.test(rule)) { cidr.push(rule); return true; } @@ -123,6 +132,7 @@ Blacklist.validate = function (rules, callback) { ipv4: ipv4, ipv6: ipv6, cidr: cidr, + cidr6: cidr6, valid: rules, invalid: invalid, });