From d9d2153fcc082d3c035b5eaf3f26a5b9f8da8364 Mon Sep 17 00:00:00 2001 From: leonklingele Date: Mon, 5 Dec 2022 08:27:51 +0100 Subject: [PATCH] :adhesive_bandage: Fix: Properly handle error of "net.ParseCIDR" in "(*App).handleTrustedProxy" (#2243) * app: do not use empty *net.IPNet in case of an error of "net.ParseCIDR" * app: expose error returned by "net.ParseCIDR" * ctx: do not repeatedly call method in loop * ctx: add test for "IsProxyTrusted" func --- app.go | 7 ++-- ctx.go | 9 ++--- ctx_test.go | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 107 insertions(+), 8 deletions(-) diff --git a/app.go b/app.go index 0c48cebb96..504a1efc50 100644 --- a/app.go +++ b/app.go @@ -585,12 +585,11 @@ func New(config ...Config) *App { func (app *App) handleTrustedProxy(ipAddress string) { if strings.Contains(ipAddress, "/") { _, ipNet, err := net.ParseCIDR(ipAddress) - if err != nil { - fmt.Printf("[Warning] IP range `%s` could not be parsed. \n", ipAddress) + fmt.Printf("[Warning] IP range %q could not be parsed: %v\n", ipAddress, err) + } else { + app.config.trustedProxyRanges = append(app.config.trustedProxyRanges, ipNet) } - - app.config.trustedProxyRanges = append(app.config.trustedProxyRanges, ipNet) } else { app.config.trustedProxiesMap[ipAddress] = struct{}{} } diff --git a/ctx.go b/ctx.go index 92d7fad985..50cdc06a41 100644 --- a/ctx.go +++ b/ctx.go @@ -1747,13 +1747,14 @@ func (c *Ctx) IsProxyTrusted() bool { return true } - _, trusted := c.app.config.trustedProxiesMap[c.fasthttp.RemoteIP().String()] - if trusted { - return trusted + ip := c.fasthttp.RemoteIP() + + if _, trusted := c.app.config.trustedProxiesMap[ip.String()]; trusted { + return true } for _, ipNet := range c.app.config.trustedProxyRanges { - if ipNet.Contains(c.fasthttp.RemoteIP()) { + if ipNet.Contains(ip) { return true } } diff --git a/ctx_test.go b/ctx_test.go index c2b2c2d9e6..ab6bbfb418 100644 --- a/ctx_test.go +++ b/ctx_test.go @@ -1023,6 +1023,105 @@ func Test_Ctx_Get(t *testing.T) { utils.AssertEqual(t, "default", c.Get("unknown", "default")) } +// go test -run Test_Ctx_IsProxyTrusted +func Test_Ctx_IsProxyTrusted(t *testing.T) { + t.Parallel() + + { + app := New() + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, true, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: false, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, true, c.IsProxyTrusted()) + } + + { + app := New(Config{ + EnableTrustedProxyCheck: true, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, false, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: true, + + TrustedProxies: []string{}, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, false, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: true, + + TrustedProxies: []string{ + "127.0.0.1", + }, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, false, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: true, + + TrustedProxies: []string{ + "127.0.0.1/8", + }, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, false, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: true, + + TrustedProxies: []string{ + "0.0.0.0", + }, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, true, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: true, + + TrustedProxies: []string{ + "0.0.0.1/31", + }, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, true, c.IsProxyTrusted()) + } + { + app := New(Config{ + EnableTrustedProxyCheck: true, + + TrustedProxies: []string{ + "0.0.0.1/31junk", + }, + }) + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + utils.AssertEqual(t, false, c.IsProxyTrusted()) + } +} + // go test -run Test_Ctx_Hostname func Test_Ctx_Hostname(t *testing.T) { t.Parallel()