From 88a74b2c4183a3a96ad830aa750ce94727c4ab3c Mon Sep 17 00:00:00 2001 From: LSmyrnaios Date: Thu, 15 Jun 2023 13:26:27 +0300 Subject: [PATCH] Add support for all private addresses, defined in "RFC 1918" standard. This fixes the issue of discarding some "shutdownService" requests due to coming from different local private addresses, when the Controller was run inside a docker container. --- .../urls_controller/services/ShutdownServiceImpl.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java b/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java index 4b9d349..62d5bcc 100644 --- a/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java +++ b/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java @@ -13,6 +13,7 @@ import org.springframework.web.client.RestTemplate; import javax.servlet.http.HttpServletRequest; import java.net.ConnectException; +import java.util.regex.Pattern; @Service @@ -21,6 +22,9 @@ public class ShutdownServiceImpl implements ShutdownService { private static final Logger logger = LoggerFactory.getLogger(ShutdownServiceImpl.class); + // Private Addresses, according to RFC 1918: https://www.rfc-editor.org/rfc/rfc1918 + private static final Pattern PRIVATE_IP_ADDRESSES_RFC_1918 = Pattern.compile("(?:10.|172.(?:1[6-9]|2[0-9]|3[0-1])|192.168.)[0-9.]+"); + public ResponseEntity passSecurityChecks(HttpServletRequest request, String initMsg) { @@ -31,8 +35,8 @@ public class ShutdownServiceImpl implements ShutdownService { String remoteAddr = GenericUtils.getRequestorAddress(request); // In case the Controller is running inside a docker container, and we want to send the "shutdownServiceRequest" from the terminal (with curl), without entering inside the container, - // then the request will appear coming from a local IP (192.168.X.Y), instead of localhost. - if ( ! (remoteAddr.equals("127.0.0.1") || remoteAddr.startsWith("192.168.") || remoteAddr.equals(UriBuilder.ip) ) ) { + // then the request will appear coming from a local (private) IP, instead of localhost. + if ( ! (remoteAddr.equals("127.0.0.1") || remoteAddr.equals(UriBuilder.ip) || PRIVATE_IP_ADDRESSES_RFC_1918.matcher(remoteAddr).matches()) ) { logger.error(initMsg + "The request came from another IP: " + remoteAddr + " | while the Controller has the IP: " + UriBuilder.ip); return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); }