diff --git a/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java b/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java index 4b9d349..62d5bcc 100644 --- a/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java +++ b/src/main/java/eu/openaire/urls_controller/services/ShutdownServiceImpl.java @@ -13,6 +13,7 @@ import org.springframework.web.client.RestTemplate; import javax.servlet.http.HttpServletRequest; import java.net.ConnectException; +import java.util.regex.Pattern; @Service @@ -21,6 +22,9 @@ public class ShutdownServiceImpl implements ShutdownService { private static final Logger logger = LoggerFactory.getLogger(ShutdownServiceImpl.class); + // Private Addresses, according to RFC 1918: https://www.rfc-editor.org/rfc/rfc1918 + private static final Pattern PRIVATE_IP_ADDRESSES_RFC_1918 = Pattern.compile("(?:10.|172.(?:1[6-9]|2[0-9]|3[0-1])|192.168.)[0-9.]+"); + public ResponseEntity passSecurityChecks(HttpServletRequest request, String initMsg) { @@ -31,8 +35,8 @@ public class ShutdownServiceImpl implements ShutdownService { String remoteAddr = GenericUtils.getRequestorAddress(request); // In case the Controller is running inside a docker container, and we want to send the "shutdownServiceRequest" from the terminal (with curl), without entering inside the container, - // then the request will appear coming from a local IP (192.168.X.Y), instead of localhost. - if ( ! (remoteAddr.equals("127.0.0.1") || remoteAddr.startsWith("192.168.") || remoteAddr.equals(UriBuilder.ip) ) ) { + // then the request will appear coming from a local (private) IP, instead of localhost. + if ( ! (remoteAddr.equals("127.0.0.1") || remoteAddr.equals(UriBuilder.ip) || PRIVATE_IP_ADDRESSES_RFC_1918.matcher(remoteAddr).matches()) ) { logger.error(initMsg + "The request came from another IP: " + remoteAddr + " | while the Controller has the IP: " + UriBuilder.ip); return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); }