mirror of
https://github.com/ONLYOFFICE/server.git
synced 2026-04-07 14:04:35 +08:00
ipfilter dns lookup
This commit is contained in:
konovalovsergey
@ -39,6 +39,11 @@
|
|||||||
"queueconverttask": "dc.converttask",
|
"queueconverttask": "dc.converttask",
|
||||||
"queueconvertresponse": "dc.convertresponse"
|
"queueconvertresponse": "dc.convertresponse"
|
||||||
},
|
},
|
||||||
|
"dnscache": {
|
||||||
|
"enable" : true,
|
||||||
|
"ttl" : 300,
|
||||||
|
"cachesize" : 1000
|
||||||
|
},
|
||||||
"services": {
|
"services": {
|
||||||
"CoAuthoring": {
|
"CoAuthoring": {
|
||||||
"server": {
|
"server": {
|
||||||
|
|||||||
@ -9,7 +9,9 @@
|
|||||||
"aws-sdk": "^2.4.12",
|
"aws-sdk": "^2.4.12",
|
||||||
"co": "^4.6.0",
|
"co": "^4.6.0",
|
||||||
"config": "^1.21.0",
|
"config": "^1.21.0",
|
||||||
|
"dnscache": "0.0.4",
|
||||||
"escape-string-regexp": "^1.0.5",
|
"escape-string-regexp": "^1.0.5",
|
||||||
|
"ipaddr.js": "^1.2.0",
|
||||||
"log4js": "^0.6.38",
|
"log4js": "^0.6.38",
|
||||||
"mime": "^1.3.4",
|
"mime": "^1.3.4",
|
||||||
"mkdirp": "^0.5.1",
|
"mkdirp": "^0.5.1",
|
||||||
|
|||||||
@ -37,6 +37,13 @@ var request = require('request');
|
|||||||
var co = require('co');
|
var co = require('co');
|
||||||
var URI = require("uri-js");
|
var URI = require("uri-js");
|
||||||
const escapeStringRegexp = require('escape-string-regexp');
|
const escapeStringRegexp = require('escape-string-regexp');
|
||||||
|
const ipaddr = require('ipaddr.js');
|
||||||
|
var configDnsCache = config.get('dnscache');
|
||||||
|
const dnscache = require('dnscache')({
|
||||||
|
"enable": configDnsCache.get('enable'),
|
||||||
|
"ttl": configDnsCache.get('ttl'),
|
||||||
|
"cachesize": configDnsCache.get('cachesize'),
|
||||||
|
});
|
||||||
var constants = require('./constants');
|
var constants = require('./constants');
|
||||||
|
|
||||||
var configIpFilter = config.get('services.CoAuthoring.ipfilter');
|
var configIpFilter = config.get('services.CoAuthoring.ipfilter');
|
||||||
@ -511,11 +518,25 @@ function* pipeFiles(from, to) {
|
|||||||
yield pipeStreams(fromStream, toStream, true);
|
yield pipeStreams(fromStream, toStream, true);
|
||||||
}
|
}
|
||||||
exports.pipeFiles = co.wrap(pipeFiles);
|
exports.pipeFiles = co.wrap(pipeFiles);
|
||||||
function checkIpFilter(hostname) {
|
function checkIpFilter(ipString, opt_hostname) {
|
||||||
var status = 0;
|
var status = 0;
|
||||||
for (var i = 0; i < g_oIpFilterRules.length; ++i) {
|
var ip4;
|
||||||
|
var ip6;
|
||||||
|
if (ipaddr.isValid(ipString)) {
|
||||||
|
var ip = ipaddr.parse(ipString);
|
||||||
|
if ('ipv6' == ip.kind()) {
|
||||||
|
if (ip.isIPv4MappedAddress()) {
|
||||||
|
ip4 = ip.toIPv4Address().toString();
|
||||||
|
}
|
||||||
|
ip6 = ip.toNormalizedString();
|
||||||
|
} else {
|
||||||
|
ip4 = ip.toString();
|
||||||
|
ip6 = ip.toIPv4MappedAddress().toNormalizedString();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for (i = 0; i < g_oIpFilterRules.length; ++i) {
|
||||||
var rule = g_oIpFilterRules[i];
|
var rule = g_oIpFilterRules[i];
|
||||||
if (rule.exp.test(hostname)) {
|
if ((opt_hostname && rule.exp.test(opt_hostname)) || (ip4 && rule.exp.test(ip4)) || (ip6 && rule.exp.test(ip6))) {
|
||||||
if (!rule.allow) {
|
if (!rule.allow) {
|
||||||
status = cfgIpFilterErrorCode;
|
status = cfgIpFilterErrorCode;
|
||||||
}
|
}
|
||||||
@ -525,3 +546,15 @@ function checkIpFilter(hostname) {
|
|||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
exports.checkIpFilter = checkIpFilter;
|
exports.checkIpFilter = checkIpFilter;
|
||||||
|
function dnsLookup(hostname, options) {
|
||||||
|
return new Promise(function(resolve, reject) {
|
||||||
|
dnscache.lookup(hostname, options, function(err, addresses){
|
||||||
|
if (err) {
|
||||||
|
reject(err);
|
||||||
|
} else {
|
||||||
|
resolve(addresses);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
exports.dnsLookup = dnsLookup;
|
||||||
@ -12,7 +12,6 @@
|
|||||||
"express": "^4.14.0",
|
"express": "^4.14.0",
|
||||||
"fakeredis": "^1.0.3",
|
"fakeredis": "^1.0.3",
|
||||||
"forwarded": "^0.1.0",
|
"forwarded": "^0.1.0",
|
||||||
"ipaddr.js": "^1.2.0",
|
|
||||||
"mime": "^1.3.4",
|
"mime": "^1.3.4",
|
||||||
"multiparty": "^4.1.2",
|
"multiparty": "^4.1.2",
|
||||||
"mysql": "^2.11.1",
|
"mysql": "^2.11.1",
|
||||||
|
|||||||
@ -720,7 +720,8 @@ function* bindEvents(docId, callback, baseUrl, opt_userAction, opt_userData) {
|
|||||||
oCallbackUrl = parseUrl(callback);
|
oCallbackUrl = parseUrl(callback);
|
||||||
bChangeBase = c_oAscChangeBase.All;
|
bChangeBase = c_oAscChangeBase.All;
|
||||||
if (null !== oCallbackUrl) {
|
if (null !== oCallbackUrl) {
|
||||||
if (utils.checkIpFilter(oCallbackUrl.host) > 0) {
|
var hostIp = yield utils.dnsLookup(oCallbackUrl.host);
|
||||||
|
if (utils.checkIpFilter(hostIp, oCallbackUrl.host) > 0) {
|
||||||
logger.error('checkIpFilter error: docId = %s;url = %s', docId, callback);
|
logger.error('checkIpFilter error: docId = %s;url = %s', docId, callback);
|
||||||
//todo add new error type
|
//todo add new error type
|
||||||
oCallbackUrl = null;
|
oCallbackUrl = null;
|
||||||
|
|||||||
@ -105,7 +105,6 @@ if (cluster.isMaster) {
|
|||||||
const bodyParser = require("body-parser");
|
const bodyParser = require("body-parser");
|
||||||
const mime = require('mime');
|
const mime = require('mime');
|
||||||
const forwarded = require('forwarded');
|
const forwarded = require('forwarded');
|
||||||
const ipaddr = require('ipaddr.js');
|
|
||||||
const docsCoServer = require('./DocsCoServer');
|
const docsCoServer = require('./DocsCoServer');
|
||||||
const canvasService = require('./canvasservice');
|
const canvasService = require('./canvasservice');
|
||||||
const converterService = require('./converterservice');
|
const converterService = require('./converterservice');
|
||||||
@ -167,13 +166,6 @@ if (cluster.isMaster) {
|
|||||||
if (cfgIpFilterEseForRequest) {
|
if (cfgIpFilterEseForRequest) {
|
||||||
var addresses = forwarded(req);
|
var addresses = forwarded(req);
|
||||||
var ipString = addresses[addresses.length - 1];
|
var ipString = addresses[addresses.length - 1];
|
||||||
//IPv6 -> IPv4
|
|
||||||
if (ipaddr.IPv6.isValid(ipString)) {
|
|
||||||
var ip = ipaddr.IPv6.parse(ipString);
|
|
||||||
if (ip.isIPv4MappedAddress()) {
|
|
||||||
ipString = ip.toIPv4Address().toString();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
status = utils.checkIpFilter(ipString);
|
status = utils.checkIpFilter(ipString);
|
||||||
}
|
}
|
||||||
if (status > 0) {
|
if (status > 0) {
|
||||||
|
|||||||
@ -167,7 +167,8 @@ function* downloadFile(docId, uri, fileFrom) {
|
|||||||
var data = null;
|
var data = null;
|
||||||
var downloadAttemptCount = 0;
|
var downloadAttemptCount = 0;
|
||||||
var urlParsed = url.parse(uri);
|
var urlParsed = url.parse(uri);
|
||||||
var filterStatus = utils.checkIpFilter(urlParsed.hostname);
|
var hostIp = yield utils.dnsLookup(urlParsed.hostname);
|
||||||
|
var filterStatus = utils.checkIpFilter(hostIp, urlParsed.hostname);
|
||||||
if (0 == filterStatus) {
|
if (0 == filterStatus) {
|
||||||
while (!res && downloadAttemptCount++ < cfgDownloadAttemptMaxCount) {
|
while (!res && downloadAttemptCount++ < cfgDownloadAttemptMaxCount) {
|
||||||
try {
|
try {
|
||||||
|
|||||||
Reference in New Issue
Block a user