[apisix-dashboard] branch master updated: fix: use remote address instead of client ip (#1831)

Fri, 30 Apr 2021 00:07:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

starsz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-dashboard.git


The following commit(s) were added to refs/heads/master by this push:
     new b54c195  fix: use remote address instead of client ip (#1831)
b54c195 is described below

commit b54c19508e6265775069adee467acbc181b0acaf
Author: Peter Zhu <[email protected]>
AuthorDate: Fri Apr 30 15:07:18 2021 +0800

    fix: use remote address instead of client ip (#1831)
---
 api/internal/filter/ip_filter.go      |  6 +++++-
 api/internal/filter/ip_filter_test.go | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/api/internal/filter/ip_filter.go b/api/internal/filter/ip_filter.go
index de62cf5..2d07dea 100644
--- a/api/internal/filter/ip_filter.go
+++ b/api/internal/filter/ip_filter.go
@@ -19,6 +19,7 @@ package filter
 import (
        "net"
        "net/http"
+       "strings"
 
        "github.com/gin-gonic/gin"
 
@@ -81,7 +82,10 @@ func checkIP(ipStr string, ips map[string]bool, subnets 
[]*subnet) bool {
 func IPFilter() gin.HandlerFunc {
        ips, subnets := generateIPSet(conf.AllowList)
        return func(c *gin.Context) {
-               ipStr := c.ClientIP()
+               var ipStr string
+               if ip, _, err := 
net.SplitHostPort(strings.TrimSpace(c.Request.RemoteAddr)); err == nil {
+                       ipStr = ip
+               }
 
                if len(conf.AllowList) < 1 {
                        c.Next()
diff --git a/api/internal/filter/ip_filter_test.go 
b/api/internal/filter/ip_filter_test.go
index f9de048..dad4da6 100644
--- a/api/internal/filter/ip_filter_test.go
+++ b/api/internal/filter/ip_filter_test.go
@@ -17,6 +17,7 @@
 package filter
 
 import (
+       "net/http/httptest"
        "testing"
 
        "github.com/gin-gonic/gin"
@@ -55,4 +56,22 @@ func TestIPFilter_Handle(t *testing.T) {
        })
        w = performRequest(r, "GET", "/test")
        assert.Equal(t, 200, w.Code)
+
+       // should forbidden
+       conf.AllowList = []string{"127.0.0.1"}
+       r = gin.New()
+       r.Use(IPFilter())
+       r.GET("/test", func(c *gin.Context) {})
+
+       req := httptest.NewRequest("GET", "/test", nil)
+       req.Header.Set("X-Forwarded-For", "127.0.0.1")
+       w = httptest.NewRecorder()
+       r.ServeHTTP(w, req)
+       assert.Equal(t, 403, w.Code)
+
+       req = httptest.NewRequest("GET", "/test", nil)
+       req.Header.Set("X-Real-Ip", "127.0.0.1")
+       w = httptest.NewRecorder()
+       r.ServeHTTP(w, req)
+       assert.Equal(t, 403, w.Code)
 }

Reply via email to