add private ip check

2026-04-23 07:53:45 +02:00 · 2025-03-29 11:56:16 +01:00
parent 06862e2023
commit 654df54fa7
1 changed files with 57 additions and 2 deletions
--- a/backend/server.js
+++ b/backend/server.js
@@ -101,6 +101,47 @@ function executeCommand(command, args) {
 }
 /**
 * Prüft, ob eine IP-Adresse im privaten, Loopback- oder Link-Local-Bereich liegt.
 * @param {string} ip - Die zu prüfende IP-Adresse (bereits validiert).
 * @returns {boolean} True, wenn die IP privat/lokal ist, sonst false.
 */
 function isPrivateIp(ip) {
    if (!ip) return false; // Sollte durch isValidIp vorher abgefangen werden
    const ipVersion = net.isIP(ip); // Gibt 4 oder 6 zurück
    if (ipVersion === 4) {
        const parts = ip.split('.').map(Number);
        return (
            // 10.0.0.0/8
            parts[0] === 10 ||
            // 172.16.0.0/12
            (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
            // 192.168.0.0/16
            (parts[0] === 192 && parts[1] === 168) ||
            // 127.0.0.0/8 (Loopback)
            parts[0] === 127 ||
            // 169.254.0.0/16 (Link-local)
            (parts[0] === 169 && parts[1] === 254)
        );
    } else if (ipVersion === 6) {
        const lowerCaseIp = ip.toLowerCase();
        return (
            // ::1/128 (Loopback)
            lowerCaseIp === '::1' ||
            // fc00::/7 (Unique Local Addresses)
            lowerCaseIp.startsWith('fc') || lowerCaseIp.startsWith('fd') ||
            // fe80::/10 (Link-local)
            lowerCaseIp.startsWith('fe8') || lowerCaseIp.startsWith('fe9') ||
            lowerCaseIp.startsWith('fea') || lowerCaseIp.startsWith('feb')
        );
    }
    // Wenn net.isIP 0 zurückgibt (sollte nicht passieren nach isValidIp)
    return false;
 }
 // --- Initialisierung (MaxMind DBs laden) ---
 async function initialize() {
    try {
@@ -194,7 +235,7 @@ app.get('/api/ping', async (req, res) => {
    console.log(`--- PING Request ---`);
    console.log(`Value of targetIp: "${targetIp}"`);
-    const isValidResult = isValidIp(targetIp); // Verwendet jetzt die neue isValidIp
+    const isValidResult = isValidIp(targetIp);
    console.log(`isValidIp (net) result for "${targetIp}": ${isValidResult}`);
    if (!isValidResult) {
@@ -202,6 +243,13 @@ app.get('/api/ping', async (req, res) => {
        return res.status(400).json({ error: 'Invalid target IP address provided.' });
    }
    // --- NEUE PRÜFUNG AUF PRIVATE IP ---
    if (isPrivateIp(targetIp)) {
        console.log(`Target IP "${targetIp}" is private/local. Aborting ping.`);
        return res.status(403).json({ error: 'Operations on private or local IP addresses are not allowed.' });
    }
    // --- ENDE NEUE PRÜFUNG ---
    try {
        console.log(`Proceeding to execute ping for "${targetIp}"...`);
        const args = ['-c', '4', targetIp];
@@ -227,7 +275,7 @@ app.get('/api/traceroute', async (req, res) => {
    console.log(`--- TRACEROUTE Request ---`);
    console.log(`Value of targetIp: "${targetIp}"`);
-    const isValidResult = isValidIp(targetIp); // Verwendet jetzt die neue isValidIp
+    const isValidResult = isValidIp(targetIp);
    console.log(`isValidIp (net) result for "${targetIp}": ${isValidResult}`);
    if (!isValidResult) {
@@ -235,6 +283,13 @@ app.get('/api/traceroute', async (req, res) => {
        return res.status(400).json({ error: 'Invalid target IP address provided.' });
    }
    // --- NEUE PRÜFUNG AUF PRIVATE IP ---
    if (isPrivateIp(targetIp)) {
        console.log(`Target IP "${targetIp}" is private/local. Aborting traceroute.`);
        return res.status(403).json({ error: 'Operations on private or local IP addresses are not allowed.' });
    }
    // --- ENDE NEUE PRÜFUNG ---
    try {
        console.log(`Proceeding to execute traceroute for "${targetIp}"...`);
        const args = ['-n', targetIp]; // Linux/macOS