From f1430ec6af411ea099e67a665c447a47311b285f Mon Sep 17 00:00:00 2001 From: Malachi Soord Date: Sun, 5 Nov 2023 12:11:59 +0100 Subject: [PATCH 1/5] Add way to filter IP addresses to be allowed to access --- .nvmrc | 1 + package-lock.json | 40 ++++++++++++++++++++++++++++++++++++++++ package.json | 1 + server/server.js | 9 +++++++++ 4 files changed, 51 insertions(+) create mode 100644 .nvmrc diff --git a/.nvmrc b/.nvmrc new file mode 100644 index 000000000..87ec8842b --- /dev/null +++ b/.nvmrc @@ -0,0 +1 @@ +18.18.2 diff --git a/package-lock.json b/package-lock.json index 1c62e19d8..7530a7122 100644 --- a/package-lock.json +++ b/package-lock.json @@ -30,6 +30,7 @@ "dotenv": "~16.0.3", "express": "~4.17.3", "express-basic-auth": "~1.2.1", + "express-ipfilter": "^1.3.1", "express-static-gzip": "~2.1.7", "form-data": "~4.0.0", "gamedig": "~4.1.0", @@ -8602,6 +8603,25 @@ "basic-auth": "^2.0.1" } }, + "node_modules/express-ipfilter": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/express-ipfilter/-/express-ipfilter-1.3.1.tgz", + "integrity": "sha512-9WZC8wGkI6I6ygZNzuZ2MbFJiGoDXs1dM+E8LKtSP13pdgqrnkonWlgvvbxG3YZpa7Haz7Ndum9/J6qkj52OqA==", + "dependencies": { + "ip": "^1.1.8", + "lodash": "^4.17.11", + "proxy-addr": "^2.0.7", + "range_check": "^2.0.4" + }, + "engines": { + "node": ">=8.9.0" + } + }, + "node_modules/express-ipfilter/node_modules/ip": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/ip/-/ip-1.1.8.tgz", + "integrity": "sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==" + }, "node_modules/express-static-gzip": { "version": "2.1.7", "resolved": "https://registry.npmjs.org/express-static-gzip/-/express-static-gzip-2.1.7.tgz", @@ -9950,6 +9970,14 @@ "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz", "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==" }, + "node_modules/ip6": { + "version": "0.2.10", + "resolved": "https://registry.npmjs.org/ip6/-/ip6-0.2.10.tgz", + "integrity": "sha512-1LdpyKjhvepd6EbAU6rW4g14vuYtx5TnJX9TfZZBhsM6DsyPQLNzW12rtbUqXBMwqFrLVV/Gcxv0GNFvJp2cYA==", + "bin": { + "ip6": "ip6-cli.js" + } + }, "node_modules/ipaddr.js": { "version": "1.9.1", "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", @@ -14953,6 +14981,18 @@ "node": ">=0.8.0" } }, + "node_modules/range_check": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/range_check/-/range_check-2.0.4.tgz", + "integrity": "sha512-aed0ocXXj+SIiNNN9b+mZWA3Ow2GXHtftOGk2xQwshK5GbEZAvUcPWNQBLTx/lPcdFRIUFlFCRtHTQNIFMqynQ==", + "dependencies": { + "ip6": "^0.2.0", + "ipaddr.js": "^1.9.1" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", diff --git a/package.json b/package.json index f11712658..058dfd484 100644 --- a/package.json +++ b/package.json @@ -88,6 +88,7 @@ "dotenv": "~16.0.3", "express": "~4.17.3", "express-basic-auth": "~1.2.1", + "express-ipfilter": "^1.3.1", "express-static-gzip": "~2.1.7", "form-data": "~4.0.0", "gamedig": "~4.1.0", diff --git a/server/server.js b/server/server.js index f726790c2..6d43e4b62 100644 --- a/server/server.js +++ b/server/server.js @@ -117,6 +117,15 @@ const port = [ args.port, process.env.UPTIME_KUMA_PORT, process.env.PORT, 3001 ] const disableFrameSameOrigin = !!process.env.UPTIME_KUMA_DISABLE_FRAME_SAMEORIGIN || args["disable-frame-sameorigin"] || false; const cloudflaredToken = args["cloudflared-token"] || process.env.UPTIME_KUMA_CLOUDFLARED_TOKEN || undefined; +const ipsToAllow = process.env.UPTIME_KUMA_IPS_TO_ALLOW || args["ips-to-allow"] || undefined; +if (ipsToAllow !== undefined) { + log.info("server", "IPs to allow: " + ipsToAllow); + + const ipfilter = require("express-ipfilter").IpFilter; + app.use(ipfilter(ipsToAllow.split(","), { mode: "allow" })); +} + + // 2FA / notp verification defaults const twoFAVerifyOptions = { "window": 1, From 727651b4ae68c393166f1c6e8265a4a0aa1a37c7 Mon Sep 17 00:00:00 2001 From: Malachi Soord Date: Sun, 5 Nov 2023 12:17:22 +0100 Subject: [PATCH 2/5] Fix lint --- server/server.js | 1 - 1 file changed, 1 deletion(-) diff --git a/server/server.js b/server/server.js index 6d43e4b62..8931d38e4 100644 --- a/server/server.js +++ b/server/server.js @@ -125,7 +125,6 @@ if (ipsToAllow !== undefined) { app.use(ipfilter(ipsToAllow.split(","), { mode: "allow" })); } - // 2FA / notp verification defaults const twoFAVerifyOptions = { "window": 1, From 81609304703c7a0000b63ad82fed43dd8c79f1f9 Mon Sep 17 00:00:00 2001 From: Malachi Soord Date: Sun, 5 Nov 2023 13:50:25 +0100 Subject: [PATCH 3/5] remove nvmrc + validate input --- .nvmrc | 1 - server/server.js | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) delete mode 100644 .nvmrc diff --git a/.nvmrc b/.nvmrc deleted file mode 100644 index 87ec8842b..000000000 --- a/.nvmrc +++ /dev/null @@ -1 +0,0 @@ -18.18.2 diff --git a/server/server.js b/server/server.js index 8931d38e4..8c0af8d53 100644 --- a/server/server.js +++ b/server/server.js @@ -119,8 +119,11 @@ const cloudflaredToken = args["cloudflared-token"] || process.env.UPTIME_KUMA_CL const ipsToAllow = process.env.UPTIME_KUMA_IPS_TO_ALLOW || args["ips-to-allow"] || undefined; if (ipsToAllow !== undefined) { + if (typeof ipsToAllow !== "string") { + log.error("server", "IPs to allow must be a string, " + typeof ipsToAllow + " provided"); + process.exit(1); + } log.info("server", "IPs to allow: " + ipsToAllow); - const ipfilter = require("express-ipfilter").IpFilter; app.use(ipfilter(ipsToAllow.split(","), { mode: "allow" })); } From ad71fc94810762f01022e35abecc5ce22197f52a Mon Sep 17 00:00:00 2001 From: Malachi Soord Date: Sat, 11 Nov 2023 11:32:41 +0100 Subject: [PATCH 4/5] Add IP validation --- server/server.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/server/server.js b/server/server.js index 8c0af8d53..c9cc92f2c 100644 --- a/server/server.js +++ b/server/server.js @@ -123,6 +123,15 @@ if (ipsToAllow !== undefined) { log.error("server", "IPs to allow must be a string, " + typeof ipsToAllow + " provided"); process.exit(1); } + + const net = require("net"); + for (const ip of ipsToAllow.split(",")) { + if (net.isIP(ip) === 0) { + log.error("server", "Provided IPs to allow must be valid IP addresses, " + ip + " provided"); + process.exit(1); + } + } + log.info("server", "IPs to allow: " + ipsToAllow); const ipfilter = require("express-ipfilter").IpFilter; app.use(ipfilter(ipsToAllow.split(","), { mode: "allow" })); From cfc69e69e8593f0b70175507f8e05ffec9b8c3b3 Mon Sep 17 00:00:00 2001 From: Malachi Soord Date: Sat, 11 Nov 2023 11:35:14 +0100 Subject: [PATCH 5/5] Remove duplication --- server/server.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/server/server.js b/server/server.js index c9cc92f2c..e7e785e81 100644 --- a/server/server.js +++ b/server/server.js @@ -124,17 +124,18 @@ if (ipsToAllow !== undefined) { process.exit(1); } + const splitIps = ipsToAllow.split(","); const net = require("net"); - for (const ip of ipsToAllow.split(",")) { + for (const ip of splitIps) { if (net.isIP(ip) === 0) { log.error("server", "Provided IPs to allow must be valid IP addresses, " + ip + " provided"); process.exit(1); } } - log.info("server", "IPs to allow: " + ipsToAllow); + log.info("server", "IPs to allow: " + splitIps); const ipfilter = require("express-ipfilter").IpFilter; - app.use(ipfilter(ipsToAllow.split(","), { mode: "allow" })); + app.use(ipfilter(splitIps, { mode: "allow" })); } // 2FA / notp verification defaults