GitHub/ergo
3
0
Fork 0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-10 22:19:31 +01:00
Code Issues Projects Releases Wiki Activity
98b91e7bdd
ergo/irc/utils/net.go
Shivaram Lingamneni 3dc5c8de78 more work on websocket support
2020-05-04 23:26:51 -04:00

196 lines
5.6 KiB
Go
Raw Blame History

// Copyright (c) 2012-2014 Jeremy Latt
// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license
package utils
import (
"net"
"regexp"
"strings"
)
var (
// subnet mask for an ipv6 /128:
mask128 = net.CIDRMask(128, 128)
IPv4LoopbackAddress = net.ParseIP("127.0.0.1").To16()
validHostnameLabelRegexp = regexp.MustCompile(`^[0-9A-Za-z.\-]+$`)
)
// AddrToIP returns the IP address for a net.Addr; unix domain sockets are treated as IPv4 loopback
func AddrToIP(addr net.Addr) net.IP {
if tcpaddr, ok := addr.(*net.TCPAddr); ok {
return tcpaddr.IP.To16()
} else if _, ok := addr.(*net.UnixAddr); ok {
return IPv4LoopbackAddress
} else {
return nil
}
}
// IPStringToHostname converts a string representation of an IP address to an IRC-ready hostname
func IPStringToHostname(ipStr string) string {
if 0 < len(ipStr) && ipStr[0] == ':' {
// fix for IPv6 hostnames (so they don't start with a colon), same as all other IRCds
ipStr = "0" + ipStr
}
return ipStr
}
// IsHostname returns whether we consider `name` a valid hostname.
func IsHostname(name string) bool {
name = strings.TrimSuffix(name, ".")
if len(name) < 1 || len(name) > 253 {
return false
}
// ensure each part of hostname is valid
for _, part := range strings.Split(name, ".") {
if len(part) < 1 || len(part) > 63 || strings.HasPrefix(part, "-") || strings.HasSuffix(part, "-") {
return false
}
if !validHostnameLabelRegexp.MatchString(part) {
return false
}
}
return true
}
// IsServerName returns whether we consider `name` a valid IRC server name.
func IsServerName(name string) bool {
// IRC server names specifically require a period
return IsHostname(name) && strings.IndexByte(name, '.') != -1
}
// Convenience to test whether `ip` is contained in any of `nets`.
func IPInNets(ip net.IP, nets []net.IPNet) bool {
for _, network := range nets {
if network.Contains(ip) {
return true
}
}
return false
}
// NormalizeIPToNet represents an address (v4 or v6) as the v6 /128 CIDR
// containing only it.
func NormalizeIPToNet(addr net.IP) (network net.IPNet) {
// represent ipv4 addresses as ipv6 addresses, using the 4-in-6 prefix
// (actually this should be a no-op for any address returned by ParseIP)
addr = addr.To16()
// the network corresponding to this address is now an ipv6 /128:
return net.IPNet{
IP: addr,
Mask: mask128,
}
}
// NormalizeNet normalizes an IPNet to a v6 CIDR, using the 4-in-6 prefix.
// (this is like IP.To16(), but for IPNet instead of IP)
func NormalizeNet(network net.IPNet) (result net.IPNet) {
if len(network.IP) == 16 {
return network
}
ones, _ := network.Mask.Size()
return net.IPNet{
IP: network.IP.To16(),
// include the 96 bits of the 4-in-6 prefix
Mask: net.CIDRMask(96+ones, 128),
}
}
// Given a network, produce a human-readable string
// (i.e., CIDR if it's actually a network, IPv6 address if it's a v6 /128,
// dotted quad if it's a v4 /32).
func NetToNormalizedString(network net.IPNet) string {
ones, bits := network.Mask.Size()
if ones == bits && ones == len(network.IP)*8 {
// either a /32 or a /128, output the address:
return network.IP.String()
}
return network.String()
}
// Parse a human-readable description (an address or CIDR, either v4 or v6)
// into a normalized v6 net.IPNet.
func NormalizedNetFromString(str string) (result net.IPNet, err error) {
_, network, err := net.ParseCIDR(str)
if err == nil {
return NormalizeNet(*network), nil
}
ip := net.ParseIP(str)
if ip == nil {
err = &net.AddrError{
Err: "Couldn't interpret as either CIDR or address",
Addr: str,
}
return
}
return NormalizeIPToNet(ip), nil
}
// Parse a list of IPs and nets as they would appear in one of our config
// files, e.g., proxy-allowed-from or a throttling exemption list.
func ParseNetList(netList []string) (nets []net.IPNet, err error) {
var network net.IPNet
for _, netStr := range netList {
if netStr == "localhost" {
ipv4Loopback, _ := NormalizedNetFromString("127.0.0.0/8")
ipv6Loopback, _ := NormalizedNetFromString("::1/128")
nets = append(nets, ipv4Loopback)
nets = append(nets, ipv6Loopback)
continue
}
network, err = NormalizedNetFromString(netStr)
if err != nil {
return
} else {
nets = append(nets, network)
}
}
return
}
// Process the X-Forwarded-For header, validating against a list of trusted IPs.
// Returns the address that the request was forwarded for, or nil if no trustworthy
// data was available.
func HandleXForwardedFor(remoteAddr string, xForwardedFor string, whitelist []net.IPNet) (result net.IP) {
// http.Request.RemoteAddr "has no defined format". with TCP it's typically "127.0.0.1:23784",
// with unix domain it's typically "@"
var remoteIP net.IP
host, _, err := net.SplitHostPort(remoteAddr)
if err != nil {
remoteIP = IPv4LoopbackAddress
} else {
remoteIP = net.ParseIP(host)
}
if remoteIP == nil || !IPInNets(remoteIP, whitelist) {
return remoteIP
}
// walk backwards through the X-Forwarded-For chain looking for an IP
// that is *not* trusted. that means it was added by one of our trusted
// forwarders (either remoteIP or something ahead of it in the chain)
// and we can trust it:
result = remoteIP
forwardedIPs := strings.Split(xForwardedFor, ",")
for i := len(forwardedIPs) - 1; i >= 0; i-- {
proxiedIP := net.ParseIP(strings.TrimSpace(forwardedIPs[i]))
if proxiedIP == nil {
return
} else if !IPInNets(proxiedIP, whitelist) {
return proxiedIP
} else {
result = proxiedIP
}
}
// no valid untrusted IPs were found in the chain;
// return either the last valid and trusted IP (which must be the origin),
// or nil:
return
}
Reference in New Issue View Git Blame Copy Permalink