fatchan
/
jschan
mirror of https://gitgud.io/fatchan/jschan.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
jschan - Anonymous imageboard software. Classic look, modern features and feel. Works without JavaScript and supports Tor, I2P, Lokinet, etc.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2160 Commits
5 Branches
69 Tags
54 MiB
Tag: Branch: Tree: de4967e7e5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'de4967e7e5'
${ noResults }
jschan/helpers/processip.js

59 lines
1.6 KiB
Raw Normal View History Unescape

add ip range bans
5 years ago
'use strict';
This did not go as planned
4 years ago
const config = require(__dirname+'/../config.js')
procesisp make ranges use CIDR notation, so its easier to understand and uses more sensible ranges for ipv6 todo: rename every "hrange" and "qrange" with nrabge and brange? narrow/broad? would need to migrate a bunch of existing db shit for bans, posts, etc probably a pain in my ass and remove a leftover console.log
3 years ago
, { createCIDR, parse } = require('ip6addr')
Beta testing .onion support ***DO NOT USE*** This still has some issues and needs testing. - needs updated nginx configs added, expects "TOR" in the x-country-code header under a separate vhost - need to make sure bans work properly still - need to implement system to prevent captcha ddos, since i cant just to IP ratelimit now - im 99% sure post history of tor users is broken if viewed by non-global staff - manual input ban form will also be broken for non-global staff - could still use some improvement on the middleware having a little more complicated flor for tor users But for the most part it works. Basically it will use the bypass id of a tor user as their "ip".
4 years ago
, deleteTempFiles = require(__dirname+'/files/deletetempfiles.js')
, dynamicResponse = require(__dirname+'/dynamic.js')
start option for unhashed ips
5 years ago
, hashIp = require(__dirname+'/haship.js');
add ip range bans
5 years ago
module.exports = (req, res, next) => {
Beta testing .onion support ***DO NOT USE*** This still has some issues and needs testing. - needs updated nginx configs added, expects "TOR" in the x-country-code header under a separate vhost - need to make sure bans work properly still - need to implement system to prevent captcha ddos, since i cant just to IP ratelimit now - im 99% sure post history of tor users is broken if viewed by non-global staff - manual input ban form will also be broken for non-global staff - could still use some improvement on the middleware having a little more complicated flor for tor users But for the most part it works. Basically it will use the bypass id of a tor user as their "ip".
4 years ago
Bugfix for repeated getting new bypass when tor user didnt need one. not necessarily a big problem but it means they would keep getting new ids. this could actually be leveraged for a scuffed auto-refresh system in future
4 years ago
//tor user ip uses bypass id, if they dont have one send to blockbypass
rename some tor-specific stuff to "anonymizer" to be more general since i added lokinet to my site, will make easier to add others e.g. i2p in futuure
4 years ago
if (res.locals.anonymizer) {
Bugfix for repeated getting new bypass when tor user didnt need one. not necessarily a big problem but it means they would keep getting new ids. this could actually be leveraged for a scuffed auto-refresh system in future
4 years ago
const pseudoIp = res.locals.preFetchedBypassId || req.signedCookies.bypassid;
Beta testing .onion support ***DO NOT USE*** This still has some issues and needs testing. - needs updated nginx configs added, expects "TOR" in the x-country-code header under a separate vhost - need to make sure bans work properly still - need to implement system to prevent captcha ddos, since i cant just to IP ratelimit now - im 99% sure post history of tor users is broken if viewed by non-global staff - manual input ban form will also be broken for non-global staff - could still use some improvement on the middleware having a little more complicated flor for tor users But for the most part it works. Basically it will use the bypass id of a tor user as their "ip".
4 years ago
res.locals.ip = {
Bugfix for repeated getting new bypass when tor user didnt need one. not necessarily a big problem but it means they would keep getting new ids. this could actually be leveraged for a scuffed auto-refresh system in future
4 years ago
raw: pseudoIp,
single: pseudoIp,
qrange: pseudoIp,
hrange: pseudoIp,
Beta testing .onion support ***DO NOT USE*** This still has some issues and needs testing. - needs updated nginx configs added, expects "TOR" in the x-country-code header under a separate vhost - need to make sure bans work properly still - need to implement system to prevent captcha ddos, since i cant just to IP ratelimit now - im 99% sure post history of tor users is broken if viewed by non-global staff - manual input ban form will also be broken for non-global staff - could still use some improvement on the middleware having a little more complicated flor for tor users But for the most part it works. Basically it will use the bypass id of a tor user as their "ip".
4 years ago
};
return next();
}
//ip for normal user
This did not go as planned
4 years ago
const { ipHeader, ipHashPermLevel } = config.get;
Customisable header for IP and country code, and improve how country names are handled
4 years ago
const ip = req.headers[ipHeader] || req.connection.remoteAddress;
normalize IP addresses Currently jschan takes the IP address as a string from the `X-Real-Ip` header, which based on the frontend proxy configuration, OS settings, etc. can take various forms: IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in the latter case, node's `isIP` will report 6, so the code will try to split it along colons, breaking hrange and qrange. With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and `0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`) represents the same address. Since it's pretty easy to get a /64 IPv6 block, a spammer can abuse it, by spamming from `a:b:c:d::1` (`qrange=a:b:c:d`, `hrange=a:b:c`), then from `a:b:c:d::1:1` (`qrange=a:b:c:d:`, `hrange=a:b:c`), `a:b:c:d::1:1:1` (`qrange=a:b:c:d::1`, `hrange=a:b:c:d`) and `a:b:c:d:1:1:1:1` (`qrange=a:b:c:d:1:1`, `hrange=a:b:c:d`). He practically got two hranges and qrange is pretty much pointless for IPv6 addresses. This change uses the `ip6addr` package to parse IP addresses and convert it to some canonical form. This means: * IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation. * Zero are not elided in IPv6 (so you'll never see `::`). * IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`). * Even though it's not documented, it seems like `ip6addr` always generates lower-case letters. This will unfortunately mean that some IP hashes may change after the update. Normal IPv4 hashes will most probably remain the same though.
4 years ago
try {
const ipParsed = parse(ip);
procesisp make ranges use CIDR notation, so its easier to understand and uses more sensible ranges for ipv6 todo: rename every "hrange" and "qrange" with nrabge and brange? narrow/broad? would need to migrate a bunch of existing db shit for bans, posts, etc probably a pain in my ass and remove a leftover console.log
3 years ago
const ipKind = ipParsed.kind();
normalize IP addresses Currently jschan takes the IP address as a string from the `X-Real-Ip` header, which based on the frontend proxy configuration, OS settings, etc. can take various forms: IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in the latter case, node's `isIP` will report 6, so the code will try to split it along colons, breaking hrange and qrange. With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and `0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`) represents the same address. Since it's pretty easy to get a /64 IPv6 block, a spammer can abuse it, by spamming from `a:b:c:d::1` (`qrange=a:b:c:d`, `hrange=a:b:c`), then from `a:b:c:d::1:1` (`qrange=a:b:c:d:`, `hrange=a:b:c`), `a:b:c:d::1:1:1` (`qrange=a:b:c:d::1`, `hrange=a:b:c:d`) and `a:b:c:d:1:1:1:1` (`qrange=a:b:c:d:1:1`, `hrange=a:b:c:d`). He practically got two hranges and qrange is pretty much pointless for IPv6 addresses. This change uses the `ip6addr` package to parse IP addresses and convert it to some canonical form. This means: * IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation. * Zero are not elided in IPv6 (so you'll never see `::`). * IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`). * Even though it's not documented, it seems like `ip6addr` always generates lower-case letters. This will unfortunately mean that some IP hashes may change after the update. Normal IPv4 hashes will most probably remain the same though.
4 years ago
const ipStr = ipParsed.toString({
procesisp make ranges use CIDR notation, so its easier to understand and uses more sensible ranges for ipv6 todo: rename every "hrange" and "qrange" with nrabge and brange? narrow/broad? would need to migrate a bunch of existing db shit for bans, posts, etc probably a pain in my ass and remove a leftover console.log
3 years ago
format: ipKind === 'ipv4' ? 'v4' : 'v6',
normalize IP addresses Currently jschan takes the IP address as a string from the `X-Real-Ip` header, which based on the frontend proxy configuration, OS settings, etc. can take various forms: IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in the latter case, node's `isIP` will report 6, so the code will try to split it along colons, breaking hrange and qrange. With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and `0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`) represents the same address. Since it's pretty easy to get a /64 IPv6 block, a spammer can abuse it, by spamming from `a:b:c:d::1` (`qrange=a:b:c:d`, `hrange=a:b:c`), then from `a:b:c:d::1:1` (`qrange=a:b:c:d:`, `hrange=a:b:c`), `a:b:c:d::1:1:1` (`qrange=a:b:c:d::1`, `hrange=a:b:c:d`) and `a:b:c:d:1:1:1:1` (`qrange=a:b:c:d:1:1`, `hrange=a:b:c:d`). He practically got two hranges and qrange is pretty much pointless for IPv6 addresses. This change uses the `ip6addr` package to parse IP addresses and convert it to some canonical form. This means: * IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation. * Zero are not elided in IPv6 (so you'll never see `::`). * IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`). * Even though it's not documented, it seems like `ip6addr` always generates lower-case letters. This will unfortunately mean that some IP hashes may change after the update. Normal IPv4 hashes will most probably remain the same though.
4 years ago
zeroElide: false,
zeroPad: false,
});
procesisp make ranges use CIDR notation, so its easier to understand and uses more sensible ranges for ipv6 todo: rename every "hrange" and "qrange" with nrabge and brange? narrow/broad? would need to migrate a bunch of existing db shit for bans, posts, etc probably a pain in my ass and remove a leftover console.log
3 years ago
let qrange = ''
, hrange = '';
if (ipKind === 'ipv4') {
processip: fix `Ip parse failed Error: cannot print non-v4 address as a v4-mapped address` errors with ipv6 mapped ipv4 addresses
3 years ago
qrange = createCIDR(ipStr, 24).toString();
hrange = createCIDR(ipStr, 16).toString();
procesisp make ranges use CIDR notation, so its easier to understand and uses more sensible ranges for ipv6 todo: rename every "hrange" and "qrange" with nrabge and brange? narrow/broad? would need to migrate a bunch of existing db shit for bans, posts, etc probably a pain in my ass and remove a leftover console.log
3 years ago
} else {
processip: fix `Ip parse failed Error: cannot print non-v4 address as a v4-mapped address` errors with ipv6 mapped ipv4 addresses
3 years ago
qrange = createCIDR(ipStr, 64).toString();
hrange = createCIDR(ipStr, 48).toString();
procesisp make ranges use CIDR notation, so its easier to understand and uses more sensible ranges for ipv6 todo: rename every "hrange" and "qrange" with nrabge and brange? narrow/broad? would need to migrate a bunch of existing db shit for bans, posts, etc probably a pain in my ass and remove a leftover console.log
3 years ago
}
use net module in ip process handler
5 years ago
res.locals.ip = {
normalize IP addresses Currently jschan takes the IP address as a string from the `X-Real-Ip` header, which based on the frontend proxy configuration, OS settings, etc. can take various forms: IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in the latter case, node's `isIP` will report 6, so the code will try to split it along colons, breaking hrange and qrange. With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and `0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`) represents the same address. Since it's pretty easy to get a /64 IPv6 block, a spammer can abuse it, by spamming from `a:b:c:d::1` (`qrange=a:b:c:d`, `hrange=a:b:c`), then from `a:b:c:d::1:1` (`qrange=a:b:c:d:`, `hrange=a:b:c`), `a:b:c:d::1:1:1` (`qrange=a:b:c:d::1`, `hrange=a:b:c:d`) and `a:b:c:d:1:1:1:1` (`qrange=a:b:c:d:1:1`, `hrange=a:b:c:d`). He practically got two hranges and qrange is pretty much pointless for IPv6 addresses. This change uses the `ip6addr` package to parse IP addresses and convert it to some canonical form. This means: * IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation. * Zero are not elided in IPv6 (so you'll never see `::`). * IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`). * Even though it's not documented, it seems like `ip6addr` always generates lower-case letters. This will unfortunately mean that some IP hashes may change after the update. Normal IPv4 hashes will most probably remain the same though.
4 years ago
raw: ipHashPermLevel === -1 ? hashIp(ipStr) : ipStr,
single: hashIp(ipStr),
Start fixing my really dumb retard mistake of how ips and post histories work
4 years ago
qrange: hashIp(qrange),
hrange: hashIp(hrange),
use net module in ip process handler
5 years ago
}
next();
normalize IP addresses Currently jschan takes the IP address as a string from the `X-Real-Ip` header, which based on the frontend proxy configuration, OS settings, etc. can take various forms: IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in the latter case, node's `isIP` will report 6, so the code will try to split it along colons, breaking hrange and qrange. With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and `0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`) represents the same address. Since it's pretty easy to get a /64 IPv6 block, a spammer can abuse it, by spamming from `a:b:c:d::1` (`qrange=a:b:c:d`, `hrange=a:b:c`), then from `a:b:c:d::1:1` (`qrange=a:b:c:d:`, `hrange=a:b:c`), `a:b:c:d::1:1:1` (`qrange=a:b:c:d::1`, `hrange=a:b:c:d`) and `a:b:c:d:1:1:1:1` (`qrange=a:b:c:d:1:1`, `hrange=a:b:c:d`). He practically got two hranges and qrange is pretty much pointless for IPv6 addresses. This change uses the `ip6addr` package to parse IP addresses and convert it to some canonical form. This means: * IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation. * Zero are not elided in IPv6 (so you'll never see `::`). * IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`). * Even though it's not documented, it seems like `ip6addr` always generates lower-case letters. This will unfortunately mean that some IP hashes may change after the update. Normal IPv4 hashes will most probably remain the same though.
4 years ago
} catch(e) {
console.error('Ip parse failed', e);
use net module in ip process handler
5 years ago
return res.status(400).render('message', {
'title': 'Bad request',
'message': 'Malformed IP' //should never get here
});
add ip range bans
5 years ago
}
Beta testing .onion support ***DO NOT USE*** This still has some issues and needs testing. - needs updated nginx configs added, expects "TOR" in the x-country-code header under a separate vhost - need to make sure bans work properly still - need to implement system to prevent captcha ddos, since i cant just to IP ratelimit now - im 99% sure post history of tor users is broken if viewed by non-global staff - manual input ban form will also be broken for non-global staff - could still use some improvement on the middleware having a little more complicated flor for tor users But for the most part it works. Basically it will use the bypass id of a tor user as their "ip".
4 years ago
add ip range bans
5 years ago
}