Log first non private, unicast ip in X-Forwarded-For

pace · Aug 28, 2020 · a7ab701 · a7ab701
1 parent 94a2468
commit a7ab701
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/maintenance/log/handler.go b/maintenance/log/handler.go
@@ -69,7 +69,7 @@ func ProxyAwareRemote(r *http.Request) string {
 		for i := len(addresses) - 1; i >= 0; i-- {
 			ip := strings.TrimSpace(addresses[i])
 			realIP := net.ParseIP(ip)
-			if !realIP.IsGlobalUnicast() {
+			if !realIP.IsGlobalUnicast() || isPrivate(realIP) {
 				continue // bad address, go to next
 			}
 			return ip
@@ -85,6 +85,21 @@ func ProxyAwareRemote(r *http.Request) string {
 	return host
 }
 
+// isPrivate reports whether `ip' is a local address, according to
+// RFC 1918 (IPv4 addresses) and RFC 4193 (IPv6 addresses).
+// Remove as soon as https://github.com/golang/go/issues/29146 is resolved
+func isPrivate(ip net.IP) bool {
+	if ip4 := ip.To4(); ip4 != nil {
+		// Local IPv4 addresses are defined in https://tools.ietf.org/html/rfc1918
+		return ip4[0] == 10 ||
+			(ip4[0] == 172 && ip4[1]&0xf0 == 16) ||
+			(ip4[0] == 192 && ip4[1] == 168)
+	}
+
+	// Local IPv6 addresses are defined in https://tools.ietf.org/html/rfc4193
+	return len(ip) == net.IPv6len && ip[0]&0xfe == 0xfc
+}
+
 var noXid = errors.New("no xid")
 
 func RequestIDHandler(fieldKey, headerName string) func(next http.Handler) http.Handler {

diff --git a/maintenance/log/handler_test.go b/maintenance/log/handler_test.go
@@ -4,6 +4,7 @@
 package log
 
 import (
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -29,3 +30,27 @@ func TestLoggingHandler(t *testing.T) {
 		t.Error("expected 201 status code")
 	}
 }
+
+func Test_isPrivate(t *testing.T) {
+	tests := []struct {
+		ip   net.IP
+		want bool
+	}{
+		{nil, false},
+		{net.IPv4(10, 0, 0, 0), true},
+		{net.IPv4(11, 0, 0, 0), false},
+		{net.IPv4(172, 16, 0, 0), true},
+		{net.IPv4(172, 32, 0, 0), false},
+		{net.IPv4(192, 168, 0, 0), true},
+		{net.IPv4(192, 169, 0, 0), false},
+		{net.IP{0xfc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, true},
+		{net.IP{0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.ip.String(), func(t *testing.T) {
+			if got := isPrivate(tt.ip); got != tt.want {
+				t.Errorf("isPrivate() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}