parse-community · dblythy · Mar 25, 2022 · Mar 26, 2022 · Mar 26, 2022 · Mar 26, 2022
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -39,7 +39,6 @@
     "graphql-relay": "0.10.0",
     "graphql-tag": "2.12.6",
     "intersect": "1.0.1",
-    "ip-range-check": "0.2.0",
     "jsonwebtoken": "9.0.0",
     "jwks-rsa": "2.1.5",
     "ldapjs": "2.3.3",

diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js
@@ -27,6 +27,7 @@ describe('middlewares', () => {
     expect(fakeReq.headers['content-type']).toEqual(undefined);
     const contentType = 'image/jpeg';
     fakeReq.body._ContentType = contentType;
+    fakeReq.ip = '127.0.0.1';
     middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
       expect(fakeReq.headers['content-type']).toEqual(contentType);
       expect(fakeReq.body._ContentType).toEqual(undefined);
@@ -151,7 +152,33 @@ describe('middlewares', () => {
     );
   });
 
-  it('should not succeed if the ip does not belong to masterKeyIps list', async () => {
+  it('can allow all with masterKeyIPs', async () => {
+    const logger = require('../lib/logger').logger;
+    spyOn(logger, 'error').and.callFake(() => {});
+    AppCache.put(fakeReq.body._ApplicationId, {
+      masterKey: 'masterKey',
+      masterKeyIps: ['::/0'],
+    });
+    fakeReq.ip = '::ffff:192.168.0.101';
+    fakeReq.headers['x-parse-master-key'] = 'masterKey';
+    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
+    expect(fakeReq.auth.isMaster).toBe(true);
+  });
+
+  it('can allow localhost with masterKeyIPs', async () => {
+    const logger = require('../lib/logger').logger;
+    spyOn(logger, 'error').and.callFake(() => {});
+    AppCache.put(fakeReq.body._ApplicationId, {
+      masterKey: 'masterKey',
+      masterKeyIps: ['::'],
+    });
+    fakeReq.ip = '127.0.0.1';
+    fakeReq.headers['x-parse-master-key'] = 'masterKey';
+    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
+    expect(fakeReq.auth.isMaster).toBe(true);
+  });
+
+  it('should not succeed if the ip does not belong to masterKeyIps list (ipv4)', async () => {
     AppCache.put(fakeReq.body._ApplicationId, {
       masterKey: 'masterKey',
       masterKeyIps: ['10.0.0.1'],
@@ -162,6 +189,19 @@ describe('middlewares', () => {
     expect(fakeReq.auth.isMaster).toBe(false);
   });
 
+  it('should not succeed if the ip does not belong to masterKeyIps list (ipv6)', async () => {
+    const logger = require('../lib/logger').logger;
+    spyOn(logger, 'error').and.callFake(() => {});
+    AppCache.put(fakeReq.body._ApplicationId, {
+      masterKey: 'masterKey',
+      masterKeyIps: ['::1'],
+    });
+    fakeReq.ip = '::ffff:101.10.0.1';
+    fakeReq.headers['x-parse-master-key'] = 'masterKey';
+    await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
+    expect(fakeReq.auth.isMaster).toBe(false);
+  });
+
   it('should not succeed if the ip does not belong to maintenanceKeyIps list', async () => {
     const logger = require('../lib/logger').logger;
     spyOn(logger, 'error').and.callFake(() => {});

diff --git a/spec/index.spec.js b/spec/index.spec.js
@@ -434,13 +434,12 @@ describe('server', () => {
     reconfigureServer({ revokeSessionOnPasswordReset: 'non-bool' }).catch(done);
   });
 
-  it('fails if you provides invalid ip in masterKeyIps', done => {
-    reconfigureServer({ masterKeyIps: ['invalidIp', '1.2.3.4'] }).catch(error => {
-      expect(error).toEqual(
-        'The Parse Server option "masterKeyIps" contains an invalid IP address "invalidIp".'
-      );
-      done();
-    });
+  it('fails if you provides invalid ip in masterKeyIps', async () => {
+    await expectAsync(
+      reconfigureServer({ masterKeyIps: ['1.2.3.4/0', 'invalidIp'] })
+    ).toBeRejectedWith(
+      'The Parse Server option "masterKeyIps" contains an invalid IP address "invalidIp".'
+    );
   });
 
   it('should succeed if you provide valid ip in masterKeyIps', done => {

diff --git a/src/middlewares.js b/src/middlewares.js
@@ -10,9 +10,9 @@ import PostgresStorageAdapter from './Adapters/Storage/Postgres/PostgresStorageA
 import rateLimit from 'express-rate-limit';
 import { RateLimitOptions } from './Options/Definitions';
 import pathToRegexp from 'path-to-regexp';
-import ipRangeCheck from 'ip-range-check';
 import RedisStore from 'rate-limit-redis';
 import { createClient } from 'redis';
+import { BlockList, isIPv4 } from 'net';
 
 export const DEFAULT_ALLOWED_HEADERS =
   'X-Parse-Master-Key, X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, X-Parse-Request-Id, Content-Type, Pragma, Cache-Control';
@@ -23,6 +23,29 @@ const getMountForRequest = function (req) {
   return req.protocol + '://' + req.get('host') + mountPath;
 };
 
+const checkIpRanges = (ip, ranges = []) => {
+  const transformIp = ip => {
+    if (ip === '::1' || ip === '::') {
+      ip = '127.0.0.1';
+    }
+    return ip;
+  };
+  const getType = address => (isIPv4(address) ? 'ipv4' : 'ipv6');
+  const blocklist = new BlockList();
+  for (const range of ranges) {
+    if (range.includes('/')) {
+      const [net, prefix] = range.split('/');
+      const addr = transformIp(net);
+      blocklist.addSubnet(addr, Number(prefix), getType(addr));
+    } else {
+      const addr = transformIp(range);
+      blocklist.addAddress(addr, getType(addr));
+    }
+  }
+  const client = transformIp(ip);
+  return blocklist.check(client, getType(client));
+};
+
 // Checks that the request is authorized for this app and checks user
 // auth too.
 // The bodyparser should run before this middleware.
@@ -183,7 +206,7 @@ export function handleParseHeaders(req, res, next) {
   const isMaintenance =
     req.config.maintenanceKey && info.maintenanceKey === req.config.maintenanceKey;
   if (isMaintenance) {
-    if (ipRangeCheck(clientIp, req.config.maintenanceKeyIps || [])) {
+    if (checkIpRanges(clientIp, req.config.maintenanceKeyIps)) {
       req.auth = new auth.Auth({
         config: req.config,
         installationId: info.installationId,
@@ -199,7 +222,7 @@ export function handleParseHeaders(req, res, next) {
   }
 
   let isMaster = info.masterKey === req.config.masterKey;
-  if (isMaster && !ipRangeCheck(clientIp, req.config.masterKeyIps || [])) {
+  if (isMaster && !checkIpRanges(clientIp, req.config.masterKeyIps)) {
     const log = req.config?.loggerController || defaultLogger;
     log.error(
       `Request using master key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'masterKeyIps'.`