From 654df54fa7fc88ee3585e214c60deda0af13fd1e Mon Sep 17 00:00:00 2001 From: MrUnknownDE Date: Sat, 29 Mar 2025 11:56:16 +0100 Subject: [PATCH] add private ip check --- backend/server.js | 59 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/backend/server.js b/backend/server.js index 4693fe8..69248b9 100644 --- a/backend/server.js +++ b/backend/server.js @@ -101,6 +101,47 @@ function executeCommand(command, args) { } +/** + * Prüft, ob eine IP-Adresse im privaten, Loopback- oder Link-Local-Bereich liegt. + * @param {string} ip - Die zu prüfende IP-Adresse (bereits validiert). + * @returns {boolean} True, wenn die IP privat/lokal ist, sonst false. + */ +function isPrivateIp(ip) { + if (!ip) return false; // Sollte durch isValidIp vorher abgefangen werden + + const ipVersion = net.isIP(ip); // Gibt 4 oder 6 zurück + + if (ipVersion === 4) { + const parts = ip.split('.').map(Number); + return ( + // 10.0.0.0/8 + parts[0] === 10 || + // 172.16.0.0/12 + (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) || + // 192.168.0.0/16 + (parts[0] === 192 && parts[1] === 168) || + // 127.0.0.0/8 (Loopback) + parts[0] === 127 || + // 169.254.0.0/16 (Link-local) + (parts[0] === 169 && parts[1] === 254) + ); + } else if (ipVersion === 6) { + const lowerCaseIp = ip.toLowerCase(); + return ( + // ::1/128 (Loopback) + lowerCaseIp === '::1' || + // fc00::/7 (Unique Local Addresses) + lowerCaseIp.startsWith('fc') || lowerCaseIp.startsWith('fd') || + // fe80::/10 (Link-local) + lowerCaseIp.startsWith('fe8') || lowerCaseIp.startsWith('fe9') || + lowerCaseIp.startsWith('fea') || lowerCaseIp.startsWith('feb') + ); + } + + // Wenn net.isIP 0 zurückgibt (sollte nicht passieren nach isValidIp) + return false; +} + // --- Initialisierung (MaxMind DBs laden) --- async function initialize() { try { @@ -194,7 +235,7 @@ app.get('/api/ping', async (req, res) => { console.log(`--- PING Request ---`); console.log(`Value of targetIp: "${targetIp}"`); - const isValidResult = isValidIp(targetIp); // Verwendet jetzt die neue isValidIp + const isValidResult = isValidIp(targetIp); console.log(`isValidIp (net) result for "${targetIp}": ${isValidResult}`); if (!isValidResult) { @@ -202,6 +243,13 @@ app.get('/api/ping', async (req, res) => { return res.status(400).json({ error: 'Invalid target IP address provided.' }); } + // --- NEUE PRÜFUNG AUF PRIVATE IP --- + if (isPrivateIp(targetIp)) { + console.log(`Target IP "${targetIp}" is private/local. Aborting ping.`); + return res.status(403).json({ error: 'Operations on private or local IP addresses are not allowed.' }); + } + // --- ENDE NEUE PRÜFUNG --- + try { console.log(`Proceeding to execute ping for "${targetIp}"...`); const args = ['-c', '4', targetIp]; @@ -227,7 +275,7 @@ app.get('/api/traceroute', async (req, res) => { console.log(`--- TRACEROUTE Request ---`); console.log(`Value of targetIp: "${targetIp}"`); - const isValidResult = isValidIp(targetIp); // Verwendet jetzt die neue isValidIp + const isValidResult = isValidIp(targetIp); console.log(`isValidIp (net) result for "${targetIp}": ${isValidResult}`); if (!isValidResult) { @@ -235,6 +283,13 @@ app.get('/api/traceroute', async (req, res) => { return res.status(400).json({ error: 'Invalid target IP address provided.' }); } + // --- NEUE PRÜFUNG AUF PRIVATE IP --- + if (isPrivateIp(targetIp)) { + console.log(`Target IP "${targetIp}" is private/local. Aborting traceroute.`); + return res.status(403).json({ error: 'Operations on private or local IP addresses are not allowed.' }); + } + // --- ENDE NEUE PRÜFUNG --- + try { console.log(`Proceeding to execute traceroute for "${targetIp}"...`); const args = ['-n', targetIp]; // Linux/macOS