mirror of
https://github.com/ergochat/ergo.git
synced 2024-12-21 10:12:53 +01:00
196 lines
5.6 KiB
Go
196 lines
5.6 KiB
Go
// Copyright (c) 2012-2014 Jeremy Latt
|
|
// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>
|
|
// released under the MIT license
|
|
|
|
package utils
|
|
|
|
import (
|
|
"net"
|
|
"regexp"
|
|
"strings"
|
|
)
|
|
|
|
var (
|
|
// subnet mask for an ipv6 /128:
|
|
mask128 = net.CIDRMask(128, 128)
|
|
IPv4LoopbackAddress = net.ParseIP("127.0.0.1").To16()
|
|
|
|
validHostnameLabelRegexp = regexp.MustCompile(`^[0-9A-Za-z.\-]+$`)
|
|
)
|
|
|
|
// AddrToIP returns the IP address for a net.Addr; unix domain sockets are treated as IPv4 loopback
|
|
func AddrToIP(addr net.Addr) net.IP {
|
|
if tcpaddr, ok := addr.(*net.TCPAddr); ok {
|
|
return tcpaddr.IP.To16()
|
|
} else if _, ok := addr.(*net.UnixAddr); ok {
|
|
return IPv4LoopbackAddress
|
|
} else {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// IPStringToHostname converts a string representation of an IP address to an IRC-ready hostname
|
|
func IPStringToHostname(ipStr string) string {
|
|
if 0 < len(ipStr) && ipStr[0] == ':' {
|
|
// fix for IPv6 hostnames (so they don't start with a colon), same as all other IRCds
|
|
ipStr = "0" + ipStr
|
|
}
|
|
return ipStr
|
|
}
|
|
|
|
// IsHostname returns whether we consider `name` a valid hostname.
|
|
func IsHostname(name string) bool {
|
|
name = strings.TrimSuffix(name, ".")
|
|
if len(name) < 1 || len(name) > 253 {
|
|
return false
|
|
}
|
|
|
|
// ensure each part of hostname is valid
|
|
for _, part := range strings.Split(name, ".") {
|
|
if len(part) < 1 || len(part) > 63 || strings.HasPrefix(part, "-") || strings.HasSuffix(part, "-") {
|
|
return false
|
|
}
|
|
if !validHostnameLabelRegexp.MatchString(part) {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// IsServerName returns whether we consider `name` a valid IRC server name.
|
|
func IsServerName(name string) bool {
|
|
// IRC server names specifically require a period
|
|
return IsHostname(name) && strings.IndexByte(name, '.') != -1
|
|
}
|
|
|
|
// Convenience to test whether `ip` is contained in any of `nets`.
|
|
func IPInNets(ip net.IP, nets []net.IPNet) bool {
|
|
for _, network := range nets {
|
|
if network.Contains(ip) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// NormalizeIPToNet represents an address (v4 or v6) as the v6 /128 CIDR
|
|
// containing only it.
|
|
func NormalizeIPToNet(addr net.IP) (network net.IPNet) {
|
|
// represent ipv4 addresses as ipv6 addresses, using the 4-in-6 prefix
|
|
// (actually this should be a no-op for any address returned by ParseIP)
|
|
addr = addr.To16()
|
|
// the network corresponding to this address is now an ipv6 /128:
|
|
return net.IPNet{
|
|
IP: addr,
|
|
Mask: mask128,
|
|
}
|
|
}
|
|
|
|
// NormalizeNet normalizes an IPNet to a v6 CIDR, using the 4-in-6 prefix.
|
|
// (this is like IP.To16(), but for IPNet instead of IP)
|
|
func NormalizeNet(network net.IPNet) (result net.IPNet) {
|
|
if len(network.IP) == 16 {
|
|
return network
|
|
}
|
|
ones, _ := network.Mask.Size()
|
|
return net.IPNet{
|
|
IP: network.IP.To16(),
|
|
// include the 96 bits of the 4-in-6 prefix
|
|
Mask: net.CIDRMask(96+ones, 128),
|
|
}
|
|
}
|
|
|
|
// Given a network, produce a human-readable string
|
|
// (i.e., CIDR if it's actually a network, IPv6 address if it's a v6 /128,
|
|
// dotted quad if it's a v4 /32).
|
|
func NetToNormalizedString(network net.IPNet) string {
|
|
ones, bits := network.Mask.Size()
|
|
if ones == bits && ones == len(network.IP)*8 {
|
|
// either a /32 or a /128, output the address:
|
|
return network.IP.String()
|
|
}
|
|
return network.String()
|
|
}
|
|
|
|
// Parse a human-readable description (an address or CIDR, either v4 or v6)
|
|
// into a normalized v6 net.IPNet.
|
|
func NormalizedNetFromString(str string) (result net.IPNet, err error) {
|
|
_, network, err := net.ParseCIDR(str)
|
|
if err == nil {
|
|
return NormalizeNet(*network), nil
|
|
}
|
|
ip := net.ParseIP(str)
|
|
if ip == nil {
|
|
err = &net.AddrError{
|
|
Err: "Couldn't interpret as either CIDR or address",
|
|
Addr: str,
|
|
}
|
|
return
|
|
}
|
|
return NormalizeIPToNet(ip), nil
|
|
}
|
|
|
|
// Parse a list of IPs and nets as they would appear in one of our config
|
|
// files, e.g., proxy-allowed-from or a throttling exemption list.
|
|
func ParseNetList(netList []string) (nets []net.IPNet, err error) {
|
|
var network net.IPNet
|
|
for _, netStr := range netList {
|
|
if netStr == "localhost" {
|
|
ipv4Loopback, _ := NormalizedNetFromString("127.0.0.0/8")
|
|
ipv6Loopback, _ := NormalizedNetFromString("::1/128")
|
|
nets = append(nets, ipv4Loopback)
|
|
nets = append(nets, ipv6Loopback)
|
|
continue
|
|
}
|
|
network, err = NormalizedNetFromString(netStr)
|
|
if err != nil {
|
|
return
|
|
} else {
|
|
nets = append(nets, network)
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
// Process the X-Forwarded-For header, validating against a list of trusted IPs.
|
|
// Returns the address that the request was forwarded for, or nil if no trustworthy
|
|
// data was available.
|
|
func HandleXForwardedFor(remoteAddr string, xForwardedFor string, whitelist []net.IPNet) (result net.IP) {
|
|
// http.Request.RemoteAddr "has no defined format". with TCP it's typically "127.0.0.1:23784",
|
|
// with unix domain it's typically "@"
|
|
var remoteIP net.IP
|
|
host, _, err := net.SplitHostPort(remoteAddr)
|
|
if err != nil {
|
|
remoteIP = IPv4LoopbackAddress
|
|
} else {
|
|
remoteIP = net.ParseIP(host)
|
|
}
|
|
|
|
if remoteIP == nil || !IPInNets(remoteIP, whitelist) {
|
|
return remoteIP
|
|
}
|
|
|
|
// walk backwards through the X-Forwarded-For chain looking for an IP
|
|
// that is *not* trusted. that means it was added by one of our trusted
|
|
// forwarders (either remoteIP or something ahead of it in the chain)
|
|
// and we can trust it:
|
|
result = remoteIP
|
|
forwardedIPs := strings.Split(xForwardedFor, ",")
|
|
for i := len(forwardedIPs) - 1; i >= 0; i-- {
|
|
proxiedIP := net.ParseIP(strings.TrimSpace(forwardedIPs[i]))
|
|
if proxiedIP == nil {
|
|
return
|
|
} else if !IPInNets(proxiedIP, whitelist) {
|
|
return proxiedIP
|
|
} else {
|
|
result = proxiedIP
|
|
}
|
|
}
|
|
|
|
// no valid untrusted IPs were found in the chain;
|
|
// return either the last valid and trusted IP (which must be the origin),
|
|
// or nil:
|
|
return
|
|
}
|