feat: #11868 apply blacklist to routes (#11873)

api and regular routes dont allow blacklisting self ip check blacklist on socket emits
2 years ago · 23404ad103
parent b44ffaf306
commit 23404ad103
5 changed files with 20 additions and 9 deletions
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@ -62,6 +62,7 @@
 	"user-banned-reason-until": "Sorry, this account has been banned until %1 (Reason: %2)",
 	"user-too-new": "Sorry, you are required to wait %1 second(s) before making your first post",
 	"blacklisted-ip": "Sorry, your IP address has been banned from this community. If you feel this is in error, please contact an administrator.",
+	"cant-blacklist-self-ip": "You can't blacklist your own IP",
 	"ban-expiry-missing": "Please provide an end date for this ban",

 	"no-category": "Category does not exist",
--- a/src/meta/blacklist.js
+++ b/src/meta/blacklist.js
@ -38,6 +38,16 @@ Blacklist.save = async function (rules) {
 	pubsub.publish('blacklist:reload');
 };

+Blacklist.addRule = async function (rule) {
+	const { valid } = Blacklist.validate(rule);
+	if (!valid.length) {
+		throw new Error('[[error:invalid-rule]]');
+	}
+	let rules = await Blacklist.get();
+	rules = `${rules}\n${valid[0]}`;
+	await Blacklist.save(rules);
+};
+
 Blacklist.get = async function () {
 	const data = await db.getObject('ip-blacklist-rules');
 	return data && data.rules;
@ -165,12 +175,4 @@ Blacklist.validate = function (rules) {
 	};
 };

-Blacklist.addRule = async function (rule) {
-	const { valid } = Blacklist.validate(rule);
-	if (!valid.length) {
-		throw new Error('[[error:invalid-rule]]');
-	}
-	let rules = await Blacklist.get();
-	rules = `${rules}\n${valid[0]}`;
-	await Blacklist.save(rules);
-};
+
--- a/src/routes/helpers.js
+++ b/src/routes/helpers.js
@ -16,6 +16,7 @@ helpers.setupPageRoute = function (...args) {
 	}

 	middlewares = [
+		middleware.applyBlacklist,
 		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,
@ -53,6 +54,7 @@ helpers.setupApiRoute = function (...args) {
 	const controller = args[args.length - 1];

 	middlewares = [
+		middleware.applyBlacklist,
 		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,
--- a/src/socket.io/blacklist.js
+++ b/src/socket.io/blacklist.js
@ -24,6 +24,10 @@ async function blacklist(socket, method, rule) {
 	if (!isAdminOrGlobalMod) {
 		throw new Error('[[error:no-privileges]]');
 	}
+	if (socket.ip && rule.includes(socket.ip)) {
+		throw new Error('[[error:cant-blacklist-self-ip]]');
+	}
+
 	await meta.blacklist[method](rule);
 	await events.log({
 		type: `ip-blacklist-${method}`,
--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@ -12,6 +12,7 @@ const user = require('../user');
 const logger = require('../logger');
 const plugins = require('../plugins');
 const ratelimit = require('../middleware/ratelimit');
+const blacklist = require('../meta/blacklist');

 const Namespaces = Object.create(null);

@ -178,6 +179,7 @@ async function onMessage(socket, payload) {
 			return socket.disconnect();
 		}

+		await blacklist.test(socket.ip);
 		await checkMaintenance(socket);
 		await validateSession(socket, '[[error:revalidate-failure]]');