Support ipv6 extraction

Author: Inbal Tako

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    securenative (0.1.36)
+    securenative (0.1.37)
 
 GEM
   remote: https://rubygems.org/

lib/securenative/utils/request_utils.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'ipaddr'
+
 module SecureNative
   module Utils
     class RequestUtils
@@ -24,14 +26,20 @@ def self.get_client_ip_from_request(request, options)
               if h.nil?
                 h = request.env[self.parse_ip(header)]
               end
-              return h.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless h.nil?
+              parsed = self.parse_proxy_header(h, header)
+              if self.validate_ip(parsed)
+                return parsed
+              end
             rescue NoMethodError
               begin
                 h = request[header]
                 if h.nil?
                   h = request.env[self.parse_ip(header)]
                 end
-                return h.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless h.nil?
+                parsed = self.parse_proxy_header(h, header)
+                if self.validate_ip(parsed)
+                  return parsed
+                end
               rescue NoMethodError
                 # Ignored
               end
@@ -41,35 +49,47 @@ def self.get_client_ip_from_request(request, options)
 
         begin
           x_forwarded_for = request.env['HTTP_X_FORWARDED_FOR']
-          return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+          if self.validate_ip(x_forwarded_for)
+            return x_forwarded_for
+          end
         rescue NoMethodError
           begin
             x_forwarded_for = request['HTTP_X_FORWARDED_FOR']
-            return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+            if self.validate_ip(x_forwarded_for)
+              return x_forwarded_for
+            end
           rescue NoMethodError
             # Ignored
           end
         end
 
         begin
           x_forwarded_for = request.env['HTTP_X_REAL_IP']
-          return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+          if self.validate_ip(x_forwarded_for)
+            return x_forwarded_for
+          end
         rescue NoMethodError
           begin
             x_forwarded_for = request['HTTP_X_REAL_IP']
-            return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+            if self.validate_ip(x_forwarded_for)
+              return x_forwarded_for
+            end
           rescue NoMethodError
             # Ignored
           end
         end
 
         begin
           x_forwarded_for = request.env['REMOTE_ADDR']
-          return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+          if self.validate_ip(x_forwarded_for)
+            return x_forwarded_for
+          end
         rescue NoMethodError
           begin
             x_forwarded_for = request['REMOTE_ADDR']
-            return x_forwarded_for.scan(/\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/)[0] unless x_forwarded_for.nil?
+            if self.validate_ip(x_forwarded_for)
+              return x_forwarded_for
+            end
           rescue NoMethodError
             # Ignored
           end
@@ -96,6 +116,32 @@ def self.parse_ip(headers)
         h = headers.gsub('-', '_')
         return PREFIX + h.upcase
       end
+
+      def self.parse_proxy_header(headers, header_key)
+        h = headers.gsub(header_key + ': ', '')
+        return h
+      end
+
+      def self.validate_ip(ip)
+        if ip.nil?
+          return false
+        end
+
+        begin
+          ipaddr = IPAddr.new(ip)
+          if ipaddr.ipv4?
+            return true
+          end
+
+          if ipaddr.ipv6?
+            return true
+          end
+        rescue Exception
+          # Ignored
+        end
+
+        return false
+      end
     end
   end
 end

lib/securenative/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SecureNative
-  VERSION = '0.1.36'
+  VERSION = '0.1.37'
 end

spec/securenative/spec_api_manager.rb

@@ -55,7 +55,7 @@
         'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
         'Authorization' => 'YOUR_API_KEY',
         'Content-Type' => 'application/json',
-        'Sn-Version' => '0.1.36',
+        'Sn-Version' => '0.1.37',
         'User-Agent' => 'SecureNative-ruby'
       }
     ).to_return(status: 200, body: '', headers: {})

spec/securenative/spec_event_manager.rb

@@ -29,7 +29,7 @@ def initialize
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             })
       .to_return(status: 200, body: '', headers: {})
@@ -53,7 +53,7 @@ def initialize
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             })
       .to_return(status: 401, body: '', headers: {})
@@ -74,7 +74,7 @@ def initialize
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             })
       .to_return(status: 500, body: '', headers: {})

spec/securenative/spec_http_client.rb

@@ -15,7 +15,7 @@
               'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
               'Authorization' => 'YOUR_API_KEY',
               'Content-Type' => 'application/json',
-              'Sn-Version' => '0.1.36',
+              'Sn-Version' => '0.1.37',
               'User-Agent' => 'SecureNative-ruby'
             }).to_return(status: 200, body: '', headers: {})
 

spec/securenative/utils/spec_request_utils.rb

@@ -5,7 +5,7 @@
 require 'rspec'
 
 RSpec.describe SecureNative::Utils::RequestUtils do
-  it 'extract a request with proxy headers' do
+  it 'extract a request with proxy headers ipv4' do
     options = SecureNative::Options.new
     options.proxy_headers = [
       'CF-Connecting-IP'
@@ -23,4 +23,23 @@
 
     expect(client_ip).to eq('203.0.113.1')
   end
+
+  it 'extract a request with proxy headers ipv6' do
+    options = SecureNative::Options.new
+    options.proxy_headers = [
+        'CF-Connecting-IP'
+    ]
+
+    stub_request(:get, 'http://www.example.com/')
+        .with(headers: {
+            'Accept' => '*/*',
+            'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
+            'User-Agent' => 'Ruby'
+        }).to_return(status: 200, body: '', headers: { 'CF-Connecting-IP' => 'CF-Connecting-IP: f71f:5bf9:25ff:1883:a8c4:eeff:7b80:aa2d' })
+
+    request = Net::HTTP.get_response('www.example.com', '/')
+    client_ip = SecureNative::Utils::RequestUtils.get_client_ip_from_request(request, options)
+
+    expect(client_ip).to eq('f71f:5bf9:25ff:1883:a8c4:eeff:7b80:aa2d')
+  end
 end