From c8d8fc422c264389e7a0184ee28a0794ef2f47cb Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 28 Jul 2022 15:12:28 -0700 Subject: [PATCH] When doing session IP address checkingin default 'lax' mode, if both addresses are private/loopback, it's now accepted as a match. --- webserver.js | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/webserver.js b/webserver.js index feda538f..31b9c3be 100644 --- a/webserver.js +++ b/webserver.js @@ -8539,11 +8539,38 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF for (var i in webRelaySessions) { webRelaySessions[i].checkTimeout(); } } + // Return true if this is a private IP address + function isPrivateAddress(ip_addr) { + // If this is a loopback address, return true + if ((ip_addr == '127.0.0.1') || (ip_addr == '::1')) return true; + + // Check IPv4 private addresses + const ipcheck = require('ipcheck'); + const IPv4PrivateRanges = ['0.0.0.0/8', '10.0.0.0/8', '100.64.0.0/10', '127.0.0.0/8', '169.254.0.0/16', '172.16.0.0/12', '192.0.0.0/24', '192.0.0.0/29', '192.0.0.8/32', '192.0.0.9/32', '192.0.0.10/32', '192.0.0.170/32', '192.0.0.171/32', '192.0.2.0/24', '192.31.196.0/24', '192.52.193.0/24', '192.88.99.0/24', '192.168.0.0/16', '192.175.48.0/24', '198.18.0.0/15', '198.51.100.0/24', '203.0.113.0/24', '240.0.0.0/4', '255.255.255.255/32'] + for (var i in IPv4PrivateRanges) { if (ipcheck.match(ip_addr, IPv4PrivateRanges[i])) return true; } + + // Check IPv6 private addresses + return /^::$/.test(ip_addr) || + /^::1$/.test(ip_addr) || + /^::f{4}:([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip_addr) || + /^::f{4}:0.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip_addr) || + /^64:ff9b::([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/.test(ip_addr) || + /^100::([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) || + /^2001::([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) || + /^2001:2[0-9a-fA-F]:([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) || + /^2001:db8:([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) || + /^2002:([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4}):?([0-9a-fA-F]{0,4})$/.test(ip_addr) || + /^f[c-d]([0-9a-fA-F]{2,2}):/i.test(ip_addr) || + /^fe[8-9a-bA-B][0-9a-fA-F]:/i.test(ip_addr) || + /^ff([0-9a-fA-F]{2,2}):/i.test(ip_addr) + } + // Check that a cookie IP is within the correct range depending on the active policy function checkCookieIp(cookieip, ip) { if (obj.args.cookieipcheck == 'none') return true; // 'none' - No IP address checking if (obj.args.cookieipcheck == 'strict') return (cookieip == ip); // 'strict' - Strict IP address checking, this can cause issues with HTTP proxies or load-balancers. - return require('ipcheck').match(cookieip, ip + '/24'); // 'lax' - IP address need to be in the some range + if (require('ipcheck').match(cookieip, ip + '/24')) return true; // 'lax' - IP address need to be in the some range + return (isPrivateAddress(cookieip) && isPrivateAddress(ip)); // 'lax' - If both IP addresses are private or loopback, accept it. This is needed because sometimes browsers will resolve IP addresses oddly on private networks. } // Takes a formating string like "this {{{a}}} is an {{{b}}} example" and fills the a and b with input o.a and o.b