/*!
|
* proxy-addr
|
* Copyright(c) 2014-2016 Douglas Christopher Wilson
|
* MIT Licensed
|
*/
|
|
'use strict'
|
|
/**
|
* Module exports.
|
* @public
|
*/
|
|
module.exports = proxyaddr
|
module.exports.all = alladdrs
|
module.exports.compile = compile
|
|
/**
|
* Module dependencies.
|
* @private
|
*/
|
|
var forwarded = require('forwarded')
|
var ipaddr = require('ipaddr.js')
|
|
/**
|
* Variables.
|
* @private
|
*/
|
|
var DIGIT_REGEXP = /^[0-9]+$/
|
var isip = ipaddr.isValid
|
var parseip = ipaddr.parse
|
|
/**
|
* Pre-defined IP ranges.
|
* @private
|
*/
|
|
var IP_RANGES = {
|
linklocal: ['169.254.0.0/16', 'fe80::/10'],
|
loopback: ['127.0.0.1/8', '::1/128'],
|
uniquelocal: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fc00::/7']
|
}
|
|
/**
|
* Get all addresses in the request, optionally stopping
|
* at the first untrusted.
|
*
|
* @param {Object} request
|
* @param {Function|Array|String} [trust]
|
* @public
|
*/
|
|
function alladdrs (req, trust) {
|
// get addresses
|
var addrs = forwarded(req)
|
|
if (!trust) {
|
// Return all addresses
|
return addrs
|
}
|
|
if (typeof trust !== 'function') {
|
trust = compile(trust)
|
}
|
|
for (var i = 0; i < addrs.length - 1; i++) {
|
if (trust(addrs[i], i)) continue
|
|
addrs.length = i + 1
|
}
|
|
return addrs
|
}
|
|
/**
|
* Compile argument into trust function.
|
*
|
* @param {Array|String} val
|
* @private
|
*/
|
|
function compile (val) {
|
if (!val) {
|
throw new TypeError('argument is required')
|
}
|
|
var trust
|
|
if (typeof val === 'string') {
|
trust = [val]
|
} else if (Array.isArray(val)) {
|
trust = val.slice()
|
} else {
|
throw new TypeError('unsupported trust argument')
|
}
|
|
for (var i = 0; i < trust.length; i++) {
|
val = trust[i]
|
|
if (!Object.prototype.hasOwnProperty.call(IP_RANGES, val)) {
|
continue
|
}
|
|
// Splice in pre-defined range
|
val = IP_RANGES[val]
|
trust.splice.apply(trust, [i, 1].concat(val))
|
i += val.length - 1
|
}
|
|
return compileTrust(compileRangeSubnets(trust))
|
}
|
|
/**
|
* Compile `arr` elements into range subnets.
|
*
|
* @param {Array} arr
|
* @private
|
*/
|
|
function compileRangeSubnets (arr) {
|
var rangeSubnets = new Array(arr.length)
|
|
for (var i = 0; i < arr.length; i++) {
|
rangeSubnets[i] = parseipNotation(arr[i])
|
}
|
|
return rangeSubnets
|
}
|
|
/**
|
* Compile range subnet array into trust function.
|
*
|
* @param {Array} rangeSubnets
|
* @private
|
*/
|
|
function compileTrust (rangeSubnets) {
|
// Return optimized function based on length
|
var len = rangeSubnets.length
|
return len === 0
|
? trustNone
|
: len === 1
|
? trustSingle(rangeSubnets[0])
|
: trustMulti(rangeSubnets)
|
}
|
|
/**
|
* Parse IP notation string into range subnet.
|
*
|
* @param {String} note
|
* @private
|
*/
|
|
function parseipNotation (note) {
|
var pos = note.lastIndexOf('/')
|
var str = pos !== -1
|
? note.substring(0, pos)
|
: note
|
|
if (!isip(str)) {
|
throw new TypeError('invalid IP address: ' + str)
|
}
|
|
var ip = parseip(str)
|
|
if (pos === -1 && ip.kind() === 'ipv6' && ip.isIPv4MappedAddress()) {
|
// Store as IPv4
|
ip = ip.toIPv4Address()
|
}
|
|
var max = ip.kind() === 'ipv6'
|
? 128
|
: 32
|
|
var range = pos !== -1
|
? note.substring(pos + 1, note.length)
|
: null
|
|
if (range === null) {
|
range = max
|
} else if (DIGIT_REGEXP.test(range)) {
|
range = parseInt(range, 10)
|
} else if (ip.kind() === 'ipv4' && isip(range)) {
|
range = parseNetmask(range)
|
} else {
|
range = null
|
}
|
|
if (range <= 0 || range > max) {
|
throw new TypeError('invalid range on address: ' + note)
|
}
|
|
return [ip, range]
|
}
|
|
/**
|
* Parse netmask string into CIDR range.
|
*
|
* @param {String} netmask
|
* @private
|
*/
|
|
function parseNetmask (netmask) {
|
var ip = parseip(netmask)
|
var kind = ip.kind()
|
|
return kind === 'ipv4'
|
? ip.prefixLengthFromSubnetMask()
|
: null
|
}
|
|
/**
|
* Determine address of proxied request.
|
*
|
* @param {Object} request
|
* @param {Function|Array|String} trust
|
* @public
|
*/
|
|
function proxyaddr (req, trust) {
|
if (!req) {
|
throw new TypeError('req argument is required')
|
}
|
|
if (!trust) {
|
throw new TypeError('trust argument is required')
|
}
|
|
var addrs = alladdrs(req, trust)
|
var addr = addrs[addrs.length - 1]
|
|
return addr
|
}
|
|
/**
|
* Static trust function to trust nothing.
|
*
|
* @private
|
*/
|
|
function trustNone () {
|
return false
|
}
|
|
/**
|
* Compile trust function for multiple subnets.
|
*
|
* @param {Array} subnets
|
* @private
|
*/
|
|
function trustMulti (subnets) {
|
return function trust (addr) {
|
if (!isip(addr)) return false
|
|
var ip = parseip(addr)
|
var ipconv
|
var kind = ip.kind()
|
|
for (var i = 0; i < subnets.length; i++) {
|
var subnet = subnets[i]
|
var subnetip = subnet[0]
|
var subnetkind = subnetip.kind()
|
var subnetrange = subnet[1]
|
var trusted = ip
|
|
if (kind !== subnetkind) {
|
if (subnetkind === 'ipv4' && !ip.isIPv4MappedAddress()) {
|
// Incompatible IP addresses
|
continue
|
}
|
|
if (!ipconv) {
|
// Convert IP to match subnet IP kind
|
ipconv = subnetkind === 'ipv4'
|
? ip.toIPv4Address()
|
: ip.toIPv4MappedAddress()
|
}
|
|
trusted = ipconv
|
}
|
|
if (trusted.match(subnetip, subnetrange)) {
|
return true
|
}
|
}
|
|
return false
|
}
|
}
|
|
/**
|
* Compile trust function for single subnet.
|
*
|
* @param {Object} subnet
|
* @private
|
*/
|
|
function trustSingle (subnet) {
|
var subnetip = subnet[0]
|
var subnetkind = subnetip.kind()
|
var subnetisipv4 = subnetkind === 'ipv4'
|
var subnetrange = subnet[1]
|
|
return function trust (addr) {
|
if (!isip(addr)) return false
|
|
var ip = parseip(addr)
|
var kind = ip.kind()
|
|
if (kind !== subnetkind) {
|
if (subnetisipv4 && !ip.isIPv4MappedAddress()) {
|
// Incompatible IP addresses
|
return false
|
}
|
|
// Convert IP to match subnet IP kind
|
ip = subnetisipv4
|
? ip.toIPv4Address()
|
: ip.toIPv4MappedAddress()
|
}
|
|
return ip.match(subnetip, subnetrange)
|
}
|
}
|
