Merge pull request rails#254 from wjordan/rescue_ip_spoof

Rescue ActionDispatch::RemoteIp::IpSpoofAttackError
visfleet · Mar 30, 2018 · 266b121 · 266b121
2 parents d858b05 + 456ae92
commit 266b121
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/lib/web_console/request.rb b/lib/web_console/request.rb
@@ -21,6 +21,8 @@ def from_whitelisted_ip?
     # Determines the remote IP using our much stricter whitelist.
     def strict_remote_ip
       GetSecureIp.new(self, whitelisted_ips).to_s
+    rescue ActionDispatch::RemoteIp::IpSpoofAttackError
+      '[Spoofed]'
     end
 
     # Returns whether the request is acceptable.

diff --git a/test/web_console/request_test.rb b/test/web_console/request_test.rb
@@ -44,6 +44,12 @@ class RequestTest < ActiveSupport::TestCase
       assert_not req.from_whitelisted_ip?
     end
 
+    test '#from_whitelisted_ip? is falsy for spoofed IPs' do
+      req = request('http://example.com', 'HTTP_CLIENT_IP' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0')
+
+      assert_not req.from_whitelisted_ip?
+    end
+
     test '#acceptable? is truthy for current version' do
       req = xhr('http://example.com', 'HTTP_ACCEPT' => "#{Mime[:web_console_v2]}")
 

diff --git a/test/web_console/whiny_request_test.rb b/test/web_console/whiny_request_test.rb
@@ -12,6 +12,13 @@ class WhinyRequestTest < ActiveSupport::TestCase
       assert_not req.from_whitelisted_ip?
     end
 
+    test '#from_whitelisted_ip? is falsy for spoofed IPs' do
+      WebConsole.logger.expects(:info)
+      req = request('http://example.com', 'HTTP_CLIENT_IP' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0')
+
+      assert_not req.from_whitelisted_ip?
+    end
+
     private
 
       def request(*args)