From 6bcf45f136f4ecf3ed9ae64a6dec95b180c80614 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Wed, 30 May 2018 09:26:03 +0200 Subject: [PATCH] fix: whitelist and XFF. --- server/header_rewriter.go | 2 +- whitelist/ip.go | 19 +++++++++++-------- whitelist/ip_test.go | 8 ++++++++ 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/server/header_rewriter.go b/server/header_rewriter.go index 193220385..b4b46b2d7 100644 --- a/server/header_rewriter.go +++ b/server/header_rewriter.go @@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) { err := h.ips.IsAuthorized(req) if err != nil { - log.Error(err) + log.Debug(err) h.secureRewriter.Rewrite(req) return } diff --git a/whitelist/ip.go b/whitelist/ip.go index 33a988eba..bfb74e007 100644 --- a/whitelist/ip.go +++ b/whitelist/ip.go @@ -61,16 +61,19 @@ func (ip *IP) IsAuthorized(req *http.Request) error { xFFs := req.Header[XForwardedFor] if len(xFFs) > 0 { for _, xFF := range xFFs { - ok, err := ip.contains(parseHost(xFF)) - if err != nil { - return err - } + xffs := strings.Split(xFF, ",") + for _, xff := range xffs { + ok, err := ip.contains(parseHost(xff)) + if err != nil { + return err + } - if ok { - return nil - } + if ok { + return nil + } - invalidMatches = append(invalidMatches, xFF) + invalidMatches = append(invalidMatches, xff) + } } } } diff --git a/whitelist/ip_test.go b/whitelist/ip_test.go index f29c09335..0b0efefc0 100644 --- a/whitelist/ip_test.go +++ b/whitelist/ip_test.go @@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) { xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"}, authorized: true, }, + { + desc: "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)", + whiteList: []string{"1.2.3.4/24"}, + allowXForwardedFor: true, + remoteAddr: "10.2.3.1:123", + xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"}, + authorized: true, + }, { desc: "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range", whiteList: []string{"1.2.3.4/24"},