Skip to content

feat: optimize IP whitelist validation logic #11102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zhengkunwang223 merged 1 commit into from
Nov 27, 2025
+27 −3
Merged

feat: optimize IP whitelist validation logic #11102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion core/init/router/router.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func setWebStatic(rootRouter *gin.RouterGroup) {
}

func Routers() *gin.Engine {
Router = gin.Default()
Router = gin.New()
Router.Use(i18n.UseI18n())
Router.Use(middleware.WhiteAllow())
Router.Use(middleware.BindDomain())
Expand Down
6 changes: 5 additions & 1 deletion core/middleware/ip_limit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,19 @@
"github.com/gin-gonic/gin"
)

func WhiteAllow() gin.HandlerFunc {

Check failure on line 12 in core/middleware/ip_limit.go

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Refactor this method to reduce its Cognitive Complexity from 19 to the 15 allowed. 


See more on https://sonarcloud.io/project/issues?id=1Panel-dev_1Panel&issues=AZrEIaVESchGjxeKdKk0&open=AZrEIaVESchGjxeKdKk0&pullRequest=11102
return func(c *gin.Context) {
tokenString := c.GetHeader("X-Panel-Local-Token")
clientIP := c.ClientIP()
clientIP := common.GetRealClientIP(c)
if clientIP == "127.0.0.1" && tokenString != "" && c.Request.URL.Path == "/api/v2/core/xpack/sync/ssl" {
c.Set("LOCAL_REQUEST", true)
c.Next()
return
}
if common.IsPrivateIP(clientIP) {
c.Next()
return
}

settingRepo := repo.NewISettingRepo()
status, err := settingRepo.Get(repo.WithByKey("AllowIPs"))
Expand Down
16 changes: 16 additions & 0 deletions core/utils/common/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,3 +245,19 @@
}
return info
}

func GetRealClientIP(c *gin.Context) string {

Check warning on line 249 in core/utils/common/common.go

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Remove the 'Get' prefix from this function name. 


See more on https://sonarcloud.io/project/issues?id=1Panel-dev_1Panel&issues=AZrENkkmXRoUDQIWD8rL&open=AZrENkkmXRoUDQIWD8rL&pullRequest=11102
addr := c.Request.RemoteAddr
if ip, _, err := net.SplitHostPort(addr); err == nil {

Check failure on line 251 in core/utils/common/common.go

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Check this error or remove the variable if the error can be safely ignored. 


See more on https://sonarcloud.io/project/issues?id=1Panel-dev_1Panel&issues=AZrENkkmXRoUDQIWD8rM&open=AZrENkkmXRoUDQIWD8rM&pullRequest=11102
return ip
}
return addr
}

func IsPrivateIP(ipStr string) bool {
ip := net.ParseIP(ipStr)
if ip == nil {
return false
}
return ip.IsPrivate() || ip.IsLoopback()
}
6 changes: 5 additions & 1 deletion core/utils/security/security.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,11 @@ func checkIPLimit(c *gin.Context) bool {
if len(status.Value) == 0 {
return true
}
clientIP := c.ClientIP()
clientIP := common.GetRealClientIP(c)
if common.IsPrivateIP(clientIP) {
return true
}

for _, ip := range strings.Split(status.Value, ",") {
if len(ip) == 0 {
continue
Expand Down
Loading