Merge pull request #31 from securenative/dev

inbaltako · web-flow · commit 1094b18ed8f0 · 2020-10-27T19:09:03.000+02:00
Support ipv6 extraction
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    securenative (0.1.36)
+    securenative (0.1.37)
 
 GEM
   remote: https://rubygems.org/
diff --git a/lib/securenative/utils/request_utils.rb b/lib/securenative/utils/request_utils.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'ipaddr'
+
 module SecureNative
   module Utils
     class RequestUtils
@@ -24,14 +26,20 @@ def self.get_client_ip_from_request(request, options)
               if h.nil?
                 h = request.env[self.parse_ip(header)]
               end
-              return h.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless h.nil?
+              parsed = self.parse_proxy_header(h, header)
+              if self.validate_ip(parsed)
+                return parsed
+              end
             rescue NoMethodError
               begin
                 h = request[header]
                 if h.nil?
                   h = request.env[self.parse_ip(header)]
                 end
-                return h.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless h.nil?
+                parsed = self.parse_proxy_header(h, header)
+                if self.validate_ip(parsed)
+                  return parsed
+                end
               rescue NoMethodError
                 # Ignored
               end
@@ -40,36 +48,66 @@ def self.get_client_ip_from_request(request, options)
         end
 
         begin
-          x_forwarded_for = request.env['HTTP_X_FORWARDED_FOR']
-          return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+          header_value = request.env['HTTP_X_FORWARDED_FOR']
+          if header_value.include? ','
+            header_value = ip.split(',')[0]
+          end
+          if self.validate_ip(header_value)
+            return header_value
+          end
         rescue NoMethodError
           begin
-            x_forwarded_for = request['HTTP_X_FORWARDED_FOR']
-            return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+            header_value = request['HTTP_X_FORWARDED_FOR']
+            if header_value.include? ','
+              header_value = ip.split(',')[0]
+            end
+            if self.validate_ip(header_value)
+              return header_value
+            end
           rescue NoMethodError
             # Ignored
           end
         end
 
         begin
-          x_forwarded_for = request.env['HTTP_X_REAL_IP']
-          return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+          header_value = request.env['HTTP_X_REAL_IP']
+          if header_value.include? ','
+            header_value = ip.split(',')[0]
+          end
+          if self.validate_ip(header_value)
+            return header
+          end
         rescue NoMethodError
           begin
-            x_forwarded_for = request['HTTP_X_REAL_IP']
-            return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+            header_value = request['HTTP_X_REAL_IP']
+            if header_value.include? ','
+              header_value = ip.split(',')[0]
+            end
+            if self.validate_ip(header_value)
+              return header_value
+            end
           rescue NoMethodError
             # Ignored
           end
         end
 
         begin
-          x_forwarded_for = request.env['REMOTE_ADDR']
-          return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+          header_value = request.env['REMOTE_ADDR']
+          if header_value.include? ','
+            header_value = ip.split(',')[0]
+          end
+          if self.validate_ip(header_value)
+            return header_value
+          end
         rescue NoMethodError
           begin
-            x_forwarded_for = request['REMOTE_ADDR']
-            return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+            header_value = request['REMOTE_ADDR']
+            if header_value.include? ','
+              header_value = ip.split(',')[0]
+            end
+            if self.validate_ip(header_value)
+              return header_value
+            end
           rescue NoMethodError
             # Ignored
           end
@@ -96,6 +134,35 @@ def self.parse_ip(headers)
         h = headers.gsub('-', '_')
         return PREFIX + h.upcase
       end
+
+      def self.parse_proxy_header(headers, header_key)
+        h = headers.gsub(header_key + ': ', '')
+        if headers.include? ','
+          h = h.split(',')[0]
+        end
+        return h
+      end
+
+      def self.validate_ip(ip)
+        if ip.nil?
+          return false
+        end
+
+        begin
+          ipaddr = IPAddr.new(ip)
+          if ipaddr.ipv4?
+            return true
+          end
+
+          if ipaddr.ipv6?
+            return true
+          end
+        rescue Exception
+          # Ignored
+        end
+
+        return false
+      end
     end
   end
 end
diff --git a/lib/securenative/version.rb b/lib/securenative/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureNative
-  VERSION = '0.1.36'
+  VERSION = '0.1.37'
 end
diff --git a/spec/securenative/spec_api_manager.rb b/spec/securenative/spec_api_manager.rb
@@ -55,7 +55,7 @@
         'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
         'Authorization' => 'YOUR_API_KEY',
         'Content-Type' => 'application/json',
-        'Sn-Version' => '0.1.36',
+        'Sn-Version' => '0.1.37',
         'User-Agent' => 'SecureNative-ruby'
       }
     ).to_return(status: 200, body: '', headers: {})
diff --git a/spec/securenative/spec_event_manager.rb b/spec/securenative/spec_event_manager.rb
@@ -29,7 +29,7 @@ def initialize
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             })
       .to_return(status: 200, body: '', headers: {})
@@ -53,7 +53,7 @@ def initialize
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             })
       .to_return(status: 401, body: '', headers: {})
@@ -74,7 +74,7 @@ def initialize
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             })
       .to_return(status: 500, body: '', headers: {})
diff --git a/spec/securenative/spec_http_client.rb b/spec/securenative/spec_http_client.rb
@@ -15,7 +15,7 @@
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             }).to_return(status: 200, body: '', headers: {})
 
diff --git a/spec/securenative/utils/spec_request_utils.rb b/spec/securenative/utils/spec_request_utils.rb
@@ -5,7 +5,7 @@
 require 'rspec'
 
 RSpec.describe SecureNative::Utils::RequestUtils do
-  it 'extract a request with proxy headers' do
+  it 'extract a request with proxy headers ipv4' do
     options = SecureNative::Options.new
     options.proxy_headers = [
       'CF-Connecting-IP'
@@ -23,4 +23,42 @@
 
     expect(client_ip).to eq('203.0.113.1')
   end
+
+  it 'extract a request with proxy headers ipv6' do
+    options = SecureNative::Options.new
+    options.proxy_headers = [
+        'CF-Connecting-IP'
+    ]
+
+    stub_request(:get, 'http://www.example.com/')
+        .with(headers: {
+            'Accept' => '*/*',
+            'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
+            'User-Agent' => 'Ruby'
+        }).to_return(status: 200, body: '', headers: { 'CF-Connecting-IP' => 'CF-Connecting-IP: f71f:5bf9:25ff:1883:a8c4:eeff:7b80:aa2d' })
+
+    request = Net::HTTP.get_response('www.example.com', '/')
+    client_ip = SecureNative::Utils::RequestUtils.get_client_ip_from_request(request, options)
+
+    expect(client_ip).to eq('f71f:5bf9:25ff:1883:a8c4:eeff:7b80:aa2d')
+  end
+
+  it 'extract a request with proxy headers multiple ipv4' do
+    options = SecureNative::Options.new
+    options.proxy_headers = [
+        'CF-Connecting-IP'
+    ]
+
+    stub_request(:get, 'http://www.example.com/')
+        .with(headers: {
+            'Accept' => '*/*',
+            'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
+            'User-Agent' => 'Ruby'
+        }).to_return(status: 200, body: '', headers: { 'CF-Connecting-IP' => 'CF-Connecting-IP: 141.246.115.116, 203.0.113.1, 12.34.56.3' })
+
+    request = Net::HTTP.get_response('www.example.com', '/')
+    client_ip = SecureNative::Utils::RequestUtils.get_client_ip_from_request(request, options)
+
+    expect(client_ip).to eq('141.246.115.116')
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@`
`55`	`55`	`'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',`
`56`	`56`	`'Authorization' => 'YOUR_API_KEY',`
`57`	`57`	`'Content-Type' => 'application/json',`
`58`		`- 'Sn-Version' => '0.1.36',`
	`58`	`+ 'Sn-Version' => '0.1.37',`
`59`	`59`	`'User-Agent' => 'SecureNative-ruby'`
`60`	`60`	`}`
`61`	`61`	`).to_return(status: 200, body: '', headers: {})`