akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity
Files
ef5efd2e33c89b40aa95fa0b4783fd2ac4e839d9
Charon/backend/internal/security/whitelist.go
GitHub Actions 9ec23cd48b fix: enhance security features 
- Updated `crowdsec_handler.go` to log inaccessible paths during config export and handle permission errors gracefully.
- Modified `emergency_handler.go` to clear admin whitelist during security reset and ensure proper updates to security configurations.
- Enhanced user password update functionality in `user_handler.go` to reset failed login attempts and lockout status.
- Introduced rate limiting middleware in `cerberus` to manage request rates and prevent abuse, with comprehensive tests for various scenarios.
- Added validation for proxy host entries in `proxyhost_service.go` to ensure valid hostnames and IP addresses, including tests for various cases.
- Improved IP matching logic in `whitelist.go` to support both IPv4 and IPv6 loopback addresses.
- Updated configuration loading in `config.go` to include rate limiting parameters from environment variables.
- Added tests for new functionalities and validations to ensure robustness and reliability.
2026-02-07 23:48:13 +00:00

62 lines
1.4 KiB
Go
Raw Blame History

package security
import (
"net"
"strings"
"github.com/Wikid82/charon/backend/internal/util"
)
// IsIPInCIDRList returns true if clientIP matches any CIDR or IP in the list.
// The list is a comma-separated string of CIDRs and/or IPs.
func IsIPInCIDRList(clientIP, cidrList string) bool {
if strings.TrimSpace(cidrList) == "" {
return false
}
canonical := util.CanonicalizeIPForSecurity(clientIP)
ip := net.ParseIP(canonical)
if ip == nil {
return false
}
parts := strings.Split(cidrList, ",")
for _, part := range parts {
entry := strings.TrimSpace(part)
if entry == "" {
continue
}
if parsed := net.ParseIP(entry); parsed != nil {
// Fix for Issue 1: Canonicalize entry to support mixed IPv4/IPv6 loopback matching
// This ensures that "::1" in the list matches "127.0.0.1" (from canonicalized client IP)
if canonEntry := util.CanonicalizeIPForSecurity(entry); canonEntry != "" {
if p := net.ParseIP(canonEntry); p != nil {
parsed = p
}
}
if ip.Equal(parsed) {
return true
}
continue
}
_, cidr, err := net.ParseCIDR(entry)
if err != nil {
continue
}
if cidr.Contains(ip) {
return true
}
// Fix for Issue 1: Handle IPv6 loopback CIDR matching against canonicalized IPv4 localhost
// If client is 127.0.0.1 (canonical localhost) and CIDR contains ::1, allow it
if ip.Equal(net.IPv4(127, 0, 0, 1)) && cidr.Contains(net.IPv6loopback) {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink