Support ip ranges in bypass list (#530)

* Support ip ranges in bypass list

* Add more unit tests

Author: timokoessler

end2end/tests/hono-xml-blocklists.test.js

@@ -21,7 +21,7 @@ t.beforeEach(async () => {
       Authorization: token,
     },
     body: JSON.stringify({
-      allowedIPAddresses: ["1.3.2.1", "1.3.2.2"],
+      allowedIPAddresses: ["1.3.2.1", "1.3.2.2", "123.4.0.0/16"], // bypass list
       endpoints: [
         {
           route: "/admin",
@@ -209,6 +209,17 @@ t.test("it blocks bots", (t) => {
         "You are not allowed to access this resource because you have been identified as a bot."
       );
 
+      // Do not block if on allowlist
+      const resp3 = await fetch("http://127.0.0.1:4003/", {
+        headers: {
+          "User-Agent":
+            "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; GPTBot/1.1; +https://openai.com/gptbot",
+          "X-Forwarded-For": "123.4.5.6",
+        },
+        signal: AbortSignal.timeout(5000),
+      });
+      t.same(resp3.status, 200);
+
       // Does not block allowed user agents
       const allowedUserAgents = [
         "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.2 Safari/605.1.15",

library/agent/ServiceConfig.test.ts

@@ -200,3 +200,57 @@ t.test("only allow some ips: empty list", async () => {
   t.same(config.isAllowedIPAddress("1.2.3.4").allowed, true);
   t.same(config.isAllowedIPAddress("4.3.2.1").allowed, true);
 });
+
+t.test("bypassed ips support cidr", async () => {
+  const config = new ServiceConfig(
+    [],
+    0,
+    [],
+    ["192.168.2.0/24", "::1"],
+    false,
+    [],
+    []
+  );
+
+  t.same(config.isBypassedIP("192.168.2.32"), true);
+  t.same(config.isBypassedIP("::1"), true);
+  t.same(config.isBypassedIP("::2"), false);
+  t.same(config.isBypassedIP("10.0.0.1"), false);
+
+  config.updateConfig(
+    [],
+    0,
+    [],
+    ["invalid", "2002::1/124", "127.0.0.1"],
+    false
+  );
+
+  t.same(config.isBypassedIP("2002::6"), true);
+  t.same(config.isBypassedIP("2002::f"), true);
+  t.same(config.isBypassedIP("2002::10"), false);
+  t.same(config.isBypassedIP("127.0.0.1"), true);
+  t.same(config.isBypassedIP("192.168.2.1"), false);
+  t.same(config.isBypassedIP("::1"), false);
+
+  config.updateConfig(
+    [],
+    0,
+    [],
+    ["0", "123.123.123.1/32", "234.0.0.0/8", "999.999.999.999", "::1/128"],
+    false
+  );
+
+  t.same(config.isBypassedIP("123.123.123.1"), true);
+  t.same(config.isBypassedIP("124.123.123.1"), false);
+  t.same(config.isBypassedIP("234.1.2.3"), true);
+  t.same(config.isBypassedIP("235.1.2.3"), false);
+  t.same(config.isBypassedIP("127.0.0.1"), false);
+  t.same(config.isBypassedIP("999.999.999.999"), false);
+  t.same(config.isBypassedIP("::1"), true);
+  t.same(config.isBypassedIP("::2"), false);
+
+  config.updateConfig([], 0, [], [], false);
+
+  t.same(config.isBypassedIP("123.123.123.1"), false);
+  t.same(config.isBypassedIP("999.999.999.999"), false);
+});

library/agent/ServiceConfig.ts

@@ -7,7 +7,7 @@ import { IPList } from "./api/fetchBlockedLists";
 export class ServiceConfig {
   private blockedUserIds: Map<string, string> = new Map();
   // IP addresses that are allowed to bypass rate limiting, attack blocking, etc.
-  private bypassedIPAddresses: Set<string> = new Set();
+  private bypassedIPAddresses: IPMatcher | undefined;
   private nonGraphQLEndpoints: Endpoint[] = [];
   private graphqlFields: Endpoint[] = [];
   private blockedIPAddresses: { blocklist: IPMatcher; description: string }[] =
@@ -71,14 +71,15 @@ export class ServiceConfig {
   }
 
   private setBypassedIPAddresses(ipAddresses: string[]) {
-    this.bypassedIPAddresses = new Set();
-    ipAddresses.forEach((ip) => {
-      this.bypassedIPAddresses.add(ip);
-    });
+    if (ipAddresses.length === 0) {
+      this.bypassedIPAddresses = undefined;
+      return;
+    }
+    this.bypassedIPAddresses = new IPMatcher(ipAddresses);
   }
 
   isBypassedIP(ip: string) {
-    return this.bypassedIPAddresses.has(ip);
+    return this.bypassedIPAddresses ? this.bypassedIPAddresses.has(ip) : false;
   }
 
   private setBlockedUserIds(blockedUserIds: string[]) {

library/sources/Hono.test.ts

@@ -59,7 +59,7 @@ const agent = createTestAgent({
     blockedUserIds: ["567"],
     configUpdatedAt: 0,
     heartbeatIntervalInMS: 10 * 60 * 1000,
-    allowedIPAddresses: ["4.3.2.1"],
+    allowedIPAddresses: ["4.3.2.1", "123.1.2.0/24"],
   }),
 });
 agent.start([new HonoInternal(), new HTTPServer()]);
@@ -507,3 +507,59 @@ t.test("invalid json body", opts, async (t) => {
   t.same(response.status, 400);
   t.same(await response.text(), "Invalid JSON");
 });
+
+t.test("bypass list works", opts, async (t) => {
+  // Start a server with a real socket
+  // The blocking is implemented in the HTTPServer source
+  const { serve } =
+    require("@hono/node-server") as typeof import("@hono/node-server");
+  const server = serve({
+    fetch: getApp().fetch,
+    port: 8769,
+  });
+
+  // It blocks bot
+  const response = await fetch.fetch({
+    url: new URL("http://127.0.0.1:8769/"),
+    headers: {
+      "X-Forwarded-For": "123.2.2.2",
+      "User-Agent": "hacker",
+    },
+  });
+  t.equal(response.statusCode, 403);
+  t.equal(
+    response.body,
+    "You are not allowed to access this resource because you have been identified as a bot."
+  );
+
+  // It does not block bypassed IP
+  const response2 = await fetch.fetch({
+    url: new URL("http://127.0.0.1:8769/"),
+    headers: {
+      "X-Forwarded-For": "4.3.2.1",
+      "User-Agent": "hacker",
+    },
+  });
+  t.equal(response2.statusCode, 200);
+
+  const response3 = await fetch.fetch({
+    url: new URL("http://127.0.0.1:8769/"),
+    headers: {
+      "X-Forwarded-For": "123.1.2.2",
+      "User-Agent": "hacker",
+    },
+  });
+  t.equal(response3.statusCode, 200);
+
+  const response4 = await fetch.fetch({
+    url: new URL("http://127.0.0.1:8769/"),
+    headers: {
+      "X-Forwarded-For": "123.1.2.254",
+      "User-Agent": "hacker",
+    },
+  });
+  t.equal(response4.statusCode, 200);
+
+  // Cleanup server
+  server.close();
+});