add cdn ip range feature

mobula9 · mobula9 · commit 9336726cba27 · 2020-12-22T14:43:46.000+01:00
diff --git a/inc/admin/advanced-settings.php b/inc/admin/advanced-settings.php
@@ -56,15 +56,11 @@ function adminAdvancedSettings()
 
     // Field "crowdsec_redis_dsn"
     addFieldString('crowdsec_redis_dsn', 'Redis DSN<br>(if applicable)', 'crowdsec_plugin_advanced_settings', 'crowdsec_advanced_settings', 'crowdsec_admin_advanced_cache', function ($input) {
-        // TODO P1 block remove if cache set to redis
-        // TODO P1 Display an error in all sections (settings and advanced) when a cache config can not work.
         return $input;
     }, '<p>Fill in this field only if you have chosen the Redis cache.<br>Example of DSN: redis://localhost:6379.', 'redis://...', '');
 
     // Field "crowdsec_memcached_dsn"
     addFieldString('crowdsec_memcached_dsn', 'Memcached DSN<br>(if applicable)', 'crowdsec_plugin_advanced_settings', 'crowdsec_advanced_settings', 'crowdsec_admin_advanced_cache', function ($input) {
-        // TODO P1 block remove if cache set to memcached
-        // TODO P1 Display an error in all sections (settings and advanced) when a cache config can not work.
         return $input;
     }, '<p>Fill in this field only if you have chosen the Memcached cache.<br>Example of DSN: memcached://localhost:11211.', 'memcached://...', '');
 
@@ -174,7 +170,8 @@ function adminAdvancedSettings()
     foreach (Constants::ORDERED_REMEDIATIONS as $remediation) {
         $choice[$remediation] = $remediation;
     }
-    addFieldSelect('crowdsec_fallback_remediation', 'Fallback to', 'crowdsec_plugin_advanced_settings', 'crowdsec_advanced_settings', 'crowdsec_admin_advanced_remediations', function ($input) {
+    addFieldSelect('crowdsec_fallback_remediation', 'Fallback to', 'crowdsec_plugin_advanced_settings', 'crowdsec_advanced_settings',
+    'crowdsec_admin_advanced_remediations', function ($input) {
         if (!in_array($input, Constants::ORDERED_REMEDIATIONS)) {
             $input = CROWDSEC_BOUNCING_LEVEL_DISABLED;
             add_settings_error('Fallback to', 'crowdsec_error', 'Fallback to: Incorrect Fallback selected.');
@@ -183,6 +180,64 @@ function adminAdvancedSettings()
         return $input;
     }, '<p>Which remediation to apply when CrowdSec advises unhandled remediation.</p>', $choice);
 
+    function cidrToLongBounds(int $longIp, int $factor): array
+    {
+        $range = [];
+        $range[0] = (($longIp) & ((-1 << (32 - $factor))));
+        $range[1] = ((($range[0])) + pow(2, (32 - $factor)) - 1);
+
+        return $range;
+    }
+
+    function convertInlineIpRangesToLongArray(string $inlineIpRanges): array
+    {
+        $longIpBoundsList = [];
+        $stringRangeArray = explode(',', $inlineIpRanges);
+        foreach ($stringRangeArray as $stringRange) {
+            $stringRange = trim($stringRange);
+            if (false !== strpos($stringRange, '/')) {
+                $stringRange = explode('/', $stringRange);
+                $longIp = ip2long($stringRange[0]);
+                $factor = (int) $stringRange[1];
+                if (false === $longIp) {
+                    throw new WordpressCrowdSecBouncerException('Invalid IP List format.');
+                }
+                if (0 === (int) $factor) {
+                    throw new WordpressCrowdSecBouncerException('Invalid IP List format.');
+                }
+                $longBounds = cidrToLongBounds($longIp, $factor);
+                $longIpBoundsList = array_merge($longIpBoundsList, [$longBounds]);
+            } else {
+                $long = ip2long($stringRange);
+                if (false === $long) {
+                    throw new WordpressCrowdSecBouncerException('Invalid IP List format.');
+                }
+                $longIpBoundsList = array_merge($longIpBoundsList, [[$long, $long]]);
+            }
+        }
+        return $longIpBoundsList;
+    }
+
+    // Field "crowdsec_trust_ip_forward"
+    addFieldString('crowdsec_trust_ip_forward_list', 'Trust these CDN IPs<br>(or Load Balancer, HTTP Proxy)', 'crowdsec_plugin_advanced_settings',
+    'crowdsec_advanced_settings', 'crowdsec_admin_advanced_remediations', function ($input) {
+        try {
+            $longList = convertInlineIpRangesToLongArray($input);
+            update_option('crowdsec_trust_ip_forward_array', $longList);
+            AdminNotice::displaySuccess('Ips with XFF to trust successfully saved.');
+        } catch (WordpressCrowdSecBouncerException $e) {
+            update_option('crowdsec_trust_ip_forward_array', []);
+            add_settings_error('Trust these CDN IPs', 'crowdsec_error', 'Trust these CDN IPs: Invalid IP List format.');
+
+            return '';
+        }
+
+        return $input;
+    }, '<p>The <em><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For" '.
+    'target="_blank">X-forwarded-For</a></em> HTTP Header will be trust only when the client IP is in this list.'.
+    '<br><strong>Comma (,)</strong> separated ips or ips ranges. Example: 1.2.3.4/24, 2.3.4.5, 3.4.5.6/27',
+    'fill the IPs or IPs ranges here...', '');
+
     // Field "crowdsec_hide_mentions"
     addFieldCheckbox('crowdsec_hide_mentions', 'Hide CrowdSec mentions', 'crowdsec_plugin_advanced_settings', 'crowdsec_advanced_settings', 'crowdsec_admin_advanced_remediations', function () {
         // Stream mode just activated.
diff --git a/inc/bounce-current-ip.php b/inc/bounce-current-ip.php
@@ -5,8 +5,35 @@
 
 function bounceCurrentIp()
 {
+    function shouldTrustXforwardedFor(string $ip): bool
+    {
+        $longIp = ip2long($ip);
+        foreach (get_option('crowdsec_trust_ip_forward_array') as $longBounds) {
+            if ($longIp >= $longBounds[0] && $longIp <= $longBounds[1]) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     $ip = $_SERVER['REMOTE_ADDR'];
 
+    // X-Forwarded-For override
+    if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
+        $ipList = array_map('trim', array_values(array_filter(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']))));
+        $forwardedIp = end($ipList);
+        if (shouldTrustXforwardedFor($ip)) {
+            $ip = $forwardedIp;
+        } else {
+            getCrowdSecLoggerInstance()->warning('', [
+                'type' => 'WP_NON_AUTHORIZED_X_FORWARDED_FOR_USAGE',
+                'original_ip' => $ip,
+                'x_forwarded_for_ip' => $forwardedIp,
+            ]);
+        }
+    }
+
     function displayCaptchaWall()
     {
         header('HTTP/1.0 401 Unauthorized');
diff --git a/inc/plugin-setup.php b/inc/plugin-setup.php
@@ -29,6 +29,8 @@ function activate_crowdsec_plugin()
     update_option('crowdsec_fallback_remediation', Constants::REMEDIATION_CAPTCHA);
 
     update_option('crowdsec_hide_mentions', false);
+    update_option('crowdsec_trust_ip_forward', '');
+    update_option('crowdsec_trust_ip_forward_array', []);
 }
 
 /**
@@ -68,4 +70,6 @@ function deactivate_crowdsec_plugin()
     delete_option('crowdsec_fallback_remediation');
 
     delete_option('crowdsec_hide_mentions');
+    delete_option('crowdsec_trust_ip_forward');
+    delete_option('crowdsec_trust_ip_forward_array');
 }

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ function activate_crowdsec_plugin()`
`29`	`29`	`update_option('crowdsec_fallback_remediation', Constants::REMEDIATION_CAPTCHA);`
`30`	`30`
`31`	`31`	`update_option('crowdsec_hide_mentions', false);`
	`32`	`+ update_option('crowdsec_trust_ip_forward', '');`
	`33`	`+ update_option('crowdsec_trust_ip_forward_array', []);`
`32`	`34`	`}`
`33`	`35`
`34`	`36`	`/**`
`@@ -68,4 +70,6 @@ function deactivate_crowdsec_plugin()`
`68`	`70`	`delete_option('crowdsec_fallback_remediation');`
`69`	`71`
`70`	`72`	`delete_option('crowdsec_hide_mentions');`
	`73`	`+ delete_option('crowdsec_trust_ip_forward');`
	`74`	`+ delete_option('crowdsec_trust_ip_forward_array');`
`71`	`75`	`}`