improve YAML syntax for defining allowed IPs

2025-07-07 12:36:57 +00:00 · 2025-05-13 22:19:24 -04:00 · 2025-05-13 22:19:24 -04:00 · 5116586d79
commit 5116586d79
parent fb63167d85
5 changed files with 113 additions and 24 deletions
--- a/.config/ci.yml
+++ b/.config/ci.yml
@ -321,9 +321,24 @@ attachLdSignatureForRelays: true
 # For security reasons, uploading attachments from the intranet is prohibited,
 # but exceptions can be made from the following settings. Default value is "undefined".
 # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
-#allowedPrivateNetworks: [
-#  '127.0.0.1/32'
-#]
+# Some example configurations:
+#allowedPrivateNetworks:
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1/32'
+#  # Allow connections to 127.0.0.* on any port
+#  - '127.0.0.1/24'
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on any port
+#  - network: '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on port 80
+#  - network: '127.0.0.1'
+#    ports: [80]
+#  # Allow connections to 127.0.0.1 on port 80 or 443
+#  - network: '127.0.0.1'
+#    ports:
+#      - 80
+#      - 443

 #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks']

--- a/.config/cypress-devcontainer.yml
+++ b/.config/cypress-devcontainer.yml
@ -269,9 +269,27 @@ proxyRemoteFiles: true
 # Sign to ActivityPub GET request (default: true)
 signToActivityPubGet: true

-allowedPrivateNetworks: [
-  '127.0.0.1/32'
-]
+# For security reasons, uploading attachments from the intranet is prohibited,
+# but exceptions can be made from the following settings. Default value is "undefined".
+# Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
+# Some example configurations:
+allowedPrivateNetworks:
+  # Allow connections to 127.0.0.1 on any port
+  - '127.0.0.1/32'
+#  # Allow connections to 127.0.0.* on any port
+#  - '127.0.0.1/24'
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on any port
+#  - network: '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on port 80
+#  - network: '127.0.0.1'
+#    ports: [80]
+#  # Allow connections to 127.0.0.1 on port 80 or 443
+#  - network: '127.0.0.1'
+#    ports:
+#      - 80
+#      - 443

 # Disable automatic redirect for ActivityPub object lookup. (default: false)
 # This is a strong defense against potential impersonation attacks if the viewer instance has inadequate validation.
--- a/.config/docker_example.yml
+++ b/.config/docker_example.yml
@ -378,9 +378,24 @@ attachLdSignatureForRelays: true
 # For security reasons, uploading attachments from the intranet is prohibited,
 # but exceptions can be made from the following settings. Default value is "undefined".
 # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
-#allowedPrivateNetworks: [
-#  '127.0.0.1/32'
-#]
+# Some example configurations:
+#allowedPrivateNetworks:
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1/32'
+#  # Allow connections to 127.0.0.* on any port
+#  - '127.0.0.1/24'
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on any port
+#  - network: '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on port 80
+#  - network: '127.0.0.1'
+#    ports: [80]
+#  # Allow connections to 127.0.0.1 on port 80 or 443
+#  - network: '127.0.0.1'
+#    ports:
+#      - 80
+#      - 443

 #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks']

--- a/.config/example.yml
+++ b/.config/example.yml
@ -381,9 +381,24 @@ attachLdSignatureForRelays: true
 # For security reasons, uploading attachments from the intranet is prohibited,
 # but exceptions can be made from the following settings. Default value is "undefined".
 # Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
-#allowedPrivateNetworks: [
-#  '127.0.0.1/32'
-#]
+# Some example configurations:
+#allowedPrivateNetworks:
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1/32'
+#  # Allow connections to 127.0.0.* on any port
+#  - '127.0.0.1/24'
+#  # Allow connections to 127.0.0.1 on any port
+#  - '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on any port
+#  - network: '127.0.0.1'
+#  # Allow connections to 127.0.0.1 on port 80
+#  - network: '127.0.0.1'
+#    ports: [80]
+#  # Allow connections to 127.0.0.1 on port 80 or 443
+#  - network: '127.0.0.1'
+#    ports:
+#      - 80
+#      - 443

 #customMOTD: ['Hello World', 'The sharks rule all', 'Shonks']

--- a/packages/backend/src/config.ts
+++ b/packages/backend/src/config.ts
@ -84,7 +84,7 @@ type Source = {
 	proxySmtp?: string;
 	proxyBypassHosts?: string[];

-	allowedPrivateNetworks?: string[];
+	allowedPrivateNetworks?: PrivateNetworkSource[];
 	disallowExternalApRedirect?: boolean;

 	maxFileSize?: number;
@ -154,11 +154,13 @@ type Source = {
 	}
 };

+export type PrivateNetworkSource = string | { ip?: string, ports?: number[] };
+
 export type PrivateNetwork = {
 	/**
 	 * CIDR IP/netmask definition of the IP range to match.
 	 */
-	cidr: [ip: IPv4 | IPv6, mask: number];
+	cidr: CIDR;

 	/**
 	 * List of ports to match.
@ -168,17 +170,41 @@ export type PrivateNetwork = {
 	ports?: number[];
 };

-export function parsePrivateNetworks(patterns: string[]): PrivateNetwork[];
+export type CIDR = [ip: IPv4 | IPv6, mask: number];
+
+export function parsePrivateNetworks(patterns: PrivateNetworkSource[]): PrivateNetwork[];
 export function parsePrivateNetworks(patterns: undefined): undefined;
-export function parsePrivateNetworks(patterns: string[] | undefined): PrivateNetwork[] | undefined;
-export function parsePrivateNetworks(patterns: string[] | undefined): PrivateNetwork[] | undefined {
-	return patterns?.map(e => {
-		const [ip, ports] = e.split('#') as [string, ...(string | undefined)[]];
-		return {
-			cidr: ipaddr.parseCIDR(ip),
-			ports: ports?.split(',').map(p => parseInt(p)),
-		};
-	});
+export function parsePrivateNetworks(patterns: PrivateNetworkSource[] | undefined): PrivateNetwork[] | undefined;
+export function parsePrivateNetworks(patterns: PrivateNetworkSource[] | undefined): PrivateNetwork[] | undefined {
+	if (!patterns) return undefined;
+	return patterns
+		.map(e => {
+			if (typeof(e) === 'string') {
+				const cidr = parseIpOrMask(e);
+				if (cidr) {
+					return { cidr } satisfies PrivateNetwork;
+				}
+			} else if (e.ip) {
+				const cidr = parseIpOrMask(e.ip);
+				if (cidr) {
+					return { cidr, ports: e.ports } satisfies PrivateNetwork;
+				}
+			}
+
+			console.warn('[config] Skipping invalid entry in allowedPrivateNetworks: ', e);
+			return null;
+		})
+		.filter(p => p != null);
+}
+
+function parseIpOrMask(ipOrMask: string): CIDR | null {
+	if (ipaddr.isValidCIDR(ipOrMask)) {
+		return ipaddr.parseCIDR(ipOrMask);
+	}
+	if (ipaddr.isValid(ipOrMask)) {
+		return ipaddr.parseCIDR(ipOrMask);
+	}
+	return null;
 }

 export type Config = {