Add IP address and CIDR support to the allowlist#85
Merged
Conversation
Portless IP entries now match the same address on any port, and CIDR ranges match origins/destinations in the network. This fixes allowlisting 127.0.0.1 (issue #66) and homelab setups like Proxmox (issue #64). Domain entries still match the page origin only; IP/CIDR entries also match request destinations so trusted addresses work from file:// pages. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
normalizeAllowlistEntry no longer treats every slash as CIDR, so full URLs and host/path inputs still extract the host. IPv4-mapped IPv6 literals such as ::ffff:127.0.0.1 now match IPv4/CIDR allowlist entries. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Detect portless IP entries via URL.port so IPv6 bracket differences across URL implementations cannot disable wildcard-port matching. Also accept scheme-prefixed or trailing-slash CIDR pastes instead of silently storing only the network address. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Cover URL/CIDR paste handling, IPv6 portless matching, IPv4-mapped unwrap, and request-filter end-to-end paths. Also stop unwrapping ::1/:: as deprecated IPv4-compatible addresses (which incorrectly became 0.0.0.1/0.0.0.0). Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Inputs like http://192.168.1.0/24/dashboard previously fell through to URL host extraction and stored only 192.168.1.0. Extract a leading IP/prefix when present, and still reject invalid prefixes. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Keep leading CIDR extraction for pastes like /24/dashboard, but if the leading slash-number is far outside a plausible prefix for that address family (e.g. /8080), fall through to normal URL host parsing instead of rejecting the entry. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
CIDR still needs a post-parse check because the URL standard treats /24 as a pathname, but host/scheme/path splitting no longer relies on ad-hoc regex carving. Bare IPv6 is bracketed only when URL() requires it. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Only treat IP URLs as CIDR when the path is exactly a prefix (/24). Page URLs like http://192.168.1.50/24/items now store the host instead of accidentally allowlisting a whole subnet. Removes the maxPrefix*2 heuristic. Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
Avoid parsing the input twice for CIDR-vs-host handling, and document that bare IPv6 forms like ::1:8080 are addresses (use [::1]:8080 for ports). Co-authored-by: Hacks and Hops <ACK-J@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #66 and #64 by making IP address and CIDR allowlist entries actually take effect.
Problem
127.0.0.1:8080) while entries were stored without them.Solution
localhostis treated as equivalent to127.0.0.1when matching against IP entriesdiscord.com)127.0.0.1works fromfile://test pages too)Matching lives in
global/allowlist.jsand reuses IP helpers fromglobal/privateAddress.js. The preferences UI documents the new entry types.Example
127.0.0.1:3000127.0.0.1:80127.0.0.1192.168.1.50:8006192.168.1.50:8008192.168.1.0/24file://(empty host)127.0.0.1:80127.0.0.1evil.com127.0.0.1:80discord.comdiscord.com127.0.0.1:80discord.comTest plan
npm test— 525 passed)127.0.0.1to allowlist, openTestPortScans.html, confirm loopback scans are not blocked192.168.1.0/24) and confirm Proxmox shell/console connections workdiscord.comallowlist still only applies to pages on discord.com