Always apply Web Console's stricter whitelist to remote IPs

rails · Jun 15, 2015 · fc321fd · fc321fd
1 parent 674abe1
commit fc321fd
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/lib/web_console/request.rb b/lib/web_console/request.rb
@@ -15,7 +15,12 @@ class Request < ActionDispatch::Request
     # For a request to hit Web Console features, it needs to come from a white
     # listed IP.
     def from_whitelited_ip?
-      whitelisted_ips.include?(remote_ip)
+      whitelisted_ips.include?(strict_remote_ip)
+    end
+
+    # Determines the remote IP using our much stricter whitelist.
+    def strict_remote_ip
+      GetSecureIp.new(env, whitelisted_ips).to_s
     end
 
     # Returns whether the request is from an acceptable content type.
@@ -26,5 +31,19 @@ def from_whitelited_ip?
     def acceptable_content_type?
       content_type.blank? || content_type.in?(acceptable_content_types)
     end
+
+    class GetSecureIp < ActionDispatch::RemoteIp::GetIp
+      def initialize(env, proxies)
+        @env      = env
+        @check_ip = true
+        @proxies  = proxies
+      end
+
+      def filter_proxies(ips)
+        ips.reject do |ip|
+          @proxies.include?(ip)
+        end
+      end
+    end
   end
 end
diff --git a/test/web_console/request_test.rb b/test/web_console/request_test.rb
@@ -18,6 +18,30 @@ class RequestTest < ActiveSupport::TestCase
       assert req.from_whitelited_ip?
     end
 
+    test '#from_whitelisted_ip? is truthy for whitelisted IPs via whitelisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0')
+
+      assert req.from_whitelited_ip?
+    end
+
+    test '#from_whitelisted_ip? is falsy for blacklisted IPs via whitelisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '0.0.0.0')
+
+      assert_not req.from_whitelited_ip?
+    end
+
+    test '#from_whitelisted_ip? is falsy for lying blacklisted IPs via whitelisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '10.0.0.0, 127.0.0.0')
+
+      assert_not req.from_whitelited_ip?
+    end
+
+    test '#from_whitelisted_ip? is falsy for whitelisted IPs via blacklisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '10.0.0.0', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0')
+
+      assert_not req.from_whitelited_ip?
+    end
+
     test '#acceptable_content_type? is truthy for explicit HTML content type' do
       html = request('http://example.com', 'CONTENT_TYPE' => 'text/html')
       xhtml = request('http://example.com', 'CONTENT_TYPE' => 'application/xhtml+xml')