1
0
Fork 0
forked from svrjs/svrjs

Added validation of X-Forwarded-For header

This commit is contained in:
Dorian Niemiec 2023-09-03 14:40:41 +02:00
parent d8cf7913be
commit b1ab6e3e4a
3 changed files with 42 additions and 56 deletions

View file

@ -1,9 +1,9 @@
{
"users": [],
"port": 80,
"port": 5555,
"pubport": 80,
"page404": "404.html",
"timestamp": 1693732189583,
"timestamp": 1693743065822,
"blacklist": [],
"nonStandardCodes": [],
"enableCompression": true,
@ -91,7 +91,7 @@
"/.*\\.img$/",
"/.*\\.iso$/"
],
"enableIPSpoofing": false,
"enableIPSpoofing": true,
"secure": false,
"sni": {},
"disableNonEncryptedServer": false,

88
svr.js
View file

@ -2838,31 +2838,37 @@ if (!cluster.isPrimary) {
}
// Set up X-Forwarded-For
var reqport = "";
var reqip = "";
var oldport = "";
var reqip = req.socket.remoteAddress;
var reqport = req.socket.remotePort;
var oldip = "";
if (req.headers["x-forwarded-for"] != undefined && enableIPSpoofing) {
reqport = null;
reqip = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
if (reqip.indexOf(":") == -1) reqip = "::ffff:" + reqip;
try {
oldport = req.socket.remotePort;
oldip = req.socket.remoteAddress;
req.socket.realRemotePort = reqport;
req.socket.realRemoteAddress = reqip;
req.socket.originalRemotePort = oldport;
req.socket.originalRemoteAddress = oldip;
res.socket.realRemotePort = reqport;
res.socket.realRemoteAddress = reqip;
res.socket.originalRemotePort = oldport;
res.socket.originalRemoteAddress = oldip;
} catch (err) {
// Address setting failed
var oldport = "";
var isForwardedValid = true;
if(enableIPSpoofing) {
if (req.headers["x-forwarded-for"] != undefined) {
var preparedReqIP = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
var preparedReqIPvalid = net.isIP(preparedReqIP);
if(preparedReqIPvalid) {
if (preparedReqIPvalid == 4 && req.socket.remoteAddress && req.socket.remoteAddress.indexOf(":") > -1) preparedReqIP = "::ffff:" + preparedReqIP;
reqip = preparedReqIP
reqport = null;
try {
oldport = req.socket.remotePort;
oldip = req.socket.remoteAddress;
req.socket.realRemotePort = reqport;
req.socket.realRemoteAddress = reqip;
req.socket.originalRemotePort = oldport;
req.socket.originalRemoteAddress = oldip;
res.socket.realRemotePort = reqport;
res.socket.realRemoteAddress = reqip;
res.socket.originalRemotePort = oldport;
res.socket.originalRemoteAddress = oldip;
} catch (err) {
// Address setting failed
}
} else {
isForwardedValid = false;
}
}
} else {
reqip = req.socket.remoteAddress;
reqport = req.socket.remotePort;
}
reqcounter++;
@ -3324,33 +3330,6 @@ if (!cluster.isPrimary) {
return;
}
var reqport = "";
var reqip = "";
var oldport = "";
var oldip = "";
if (req.headers["x-forwarded-for"] != undefined && enableIPSpoofing) {
reqport = null;
reqip = req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "");
if (reqip.indexOf(":") == -1) reqip = "::ffff:" + reqip;
try {
oldport = req.socket.remotePort;
oldip = req.socket.remoteAddress;
req.socket.realRemotePort = reqport;
req.socket.realRemoteAddress = reqip;
req.socket.originalRemotePort = oldport;
req.socket.originalRemoteAddress = oldip;
res.socket.realRemotePort = reqport;
res.socket.realRemoteAddress = reqip;
res.socket.originalRemotePort = oldport;
res.socket.originalRemoteAddress = oldip;
} catch (err) {
// Nevermind...
}
} else {
reqip = req.socket.remoteAddress;
reqport = req.socket.remotePort;
}
// Function to check the level of a path relative to the web root
function checkPathLevel(path) {
// Split the path into an array of components based on "/"
@ -4090,11 +4069,18 @@ if (!cluster.isPrimary) {
}
}
// Check for invalid X-Forwarded-For header
if(!isForwardedValid) {
serverconsole.errmessage("X-Forwarded-For header is invalid.");
callServerError(400);
return;
}
// Handle redirects to HTTPS
if(secure && !fromMain && !disableNonEncryptedServer && !disableToHTTPSRedirect) {
var hostx = req.headers.host;
if (hostx === undefined) {
serverconsole.errmessage("Bad request!");
serverconsole.errmessage("Host header is missing.");
callServerError(400);
return;
}

View file

@ -1 +1 @@
53
55