feat(server): require explicitly enabling reverse proxy auth for unix sockets (#3062)

2025-04-04 04:57:37 +03:00 · 2024-09-29 19:28:44 +02:00 · 2024-09-29 19:28:44 +02:00 · 06c9c1e64a
commit 06c9c1e64a
parent ed3ab5385d
2 changed files with 43 additions and 7 deletions
--- a/server/auth.go
+++ b/server/auth.go
@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"slices"
 	"strings"
 	"time"

@ -196,7 +197,7 @@ func UsernameFromToken(r *http.Request) string {
 }

 func UsernameFromReverseProxyHeader(r *http.Request) string {
-	if conf.Server.ReverseProxyWhitelist == "" && !strings.HasPrefix(conf.Server.Address, "unix:") {
+	if conf.Server.ReverseProxyWhitelist == "" {
 		return ""
 	}
 	reverseProxyIp, ok := request.ReverseProxyIpFrom(r.Context())
@ -324,14 +325,16 @@ func handleLoginFromHeaders(ds model.DataStore, r *http.Request) map[string]inte
 }

 func validateIPAgainstList(ip string, comaSeparatedList string) bool {
+	if comaSeparatedList == "" || ip == "" {
+		return false
+	}
+
+	cidrs := strings.Split(comaSeparatedList, ",")
+
 	// Per https://github.com/golang/go/issues/49825, the remote address
 	// on a unix socket is '@'
 	if ip == "@" && strings.HasPrefix(conf.Server.Address, "unix:") {
-		return true
-	}
-
-	if comaSeparatedList == "" || ip == "" {
-		return false
+		return slices.Contains(cidrs, "@")
 	}

 	if net.ParseIP(ip) == nil {
@ -342,7 +345,6 @@ func validateIPAgainstList(ip string, comaSeparatedList string) bool {
 		return false
 	}

-	cidrs := strings.Split(comaSeparatedList, ",")
 	testedIP, _, err := net.ParseCIDR(fmt.Sprintf("%s/32", ip))

 	if err != nil {