kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2025-12-01 10:31:45 +00:00
Code Issues Projects Releases Wiki Activity
Files
74b682fdf1e05dadff2c62fb4a685d0f5ec6c282
MagicMirror/js/ip_access_control.js

64 lines
1.8 KiB
JavaScript
Raw Normal View History

refactor: replace `express-ipfilter` with lightweight custom middleware (#3917) This fixes security issue [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22), which is not very likely to be exploitable in MagicMirror² setups, but still should be fixed. The [express-ipfilter](https://www.npmjs.com/package/express-ipfilter) package depends on the obviously unmaintained [ip](https://github.com/indutny/node-ip) package, which has known security vulnerabilities. Since no fix is available, this commit replaces both dependencies with a custom middleware using the better maintained [ipaddr.js](https://www.npmjs.com/package/ipaddr.js) library. Changes: - Add new `js/ip_access_control.js` with lightweight middleware - Remove `express-ipfilter` dependency, add `ipaddr.js` - Update `js/server.js` to use new middleware - In addition, I have formulated the descriptions of the corresponding tests a little more clearly.
2025-10-18 19:56:55 +02:00
const ipaddr = require("ipaddr.js");
const Log = require("logger");
/**
* Checks if a client IP matches any entry in the whitelist
* @param {string} clientIp - The IP address to check
* @param {string[]} whitelist - Array of IP addresses or CIDR ranges
* @returns {boolean} True if IP is allowed
*/
function isAllowed (clientIp, whitelist) {
try {
const addr = ipaddr.process(clientIp);
return whitelist.some((entry) => {
try {
// CIDR notation
if (entry.includes("/")) {
const [rangeAddr, prefixLen] = ipaddr.parseCIDR(entry);
return addr.match(rangeAddr, prefixLen);
}
// Single IP address - let ipaddr.process normalize both
const allowedAddr = ipaddr.process(entry);
return addr.toString() === allowedAddr.toString();
} catch (err) {
Log.warn(`Invalid whitelist entry: ${entry}`);
return false;
}
});
} catch (err) {
Log.warn(`Failed to parse client IP: ${clientIp}`);
return false;
}
}
/**
* Creates an Express middleware for IP whitelisting
* @param {string[]} whitelist - Array of allowed IP addresses or CIDR ranges
* @returns {import("express").RequestHandler} Express middleware function
*/
function ipAccessControl (whitelist) {
// Empty whitelist means allow all
if (!Array.isArray(whitelist) || whitelist.length === 0) {
return function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
next();
};
}
return function (req, res, next) {
const clientIp = req.ip || req.socket.remoteAddress;
if (isAllowed(clientIp, whitelist)) {
res.header("Access-Control-Allow-Origin", "*");
next();
} else {
Log.log(`IP ${clientIp} is not allowed to access the mirror`);
res.status(403).send("This device is not allowed to access your mirror. <br> Please check your config.js or config.js.sample to change this.");
}
};
}
module.exports = { ipAccessControl };
Reference in New Issue Copy Permalink