mirror of
https://github.com/syncthing/syncthing.git
synced 2026-03-27 18:53:04 -04:00
c667ada63a
### Purpose Fix https://github.com/syncthing/syncthing/issues/9336 The `emitLoginAttempt` function now checks for the presence of an `X-Forwarded-For` header. The IP from this header is only used if the connecting host is either on loopback or on the same LAN. In the case of a host pretending to be a proxy, we'd still have both IPs in the logs, which should make this much less critical from a security standpoint. ### Testing 1. directly via localhost 2. via proxy an localhost #### Logs ``` [3JPXJ] 2025/04/11 15:00:40 INFO: Wrong credentials supplied during API authorization from 127.0.0.1 [3JPXJ] 2025/04/11 15:03:04 INFO: Wrong credentials supplied during API authorization from 192.168.178.5 proxied by 127.0.0.1 ``` #### Event API ``` { "id": 23, "globalID": 23, "time": "2025-04-11T15:00:40.578577402+02:00", "type": "LoginAttempt", "data": { "remoteAddress": "127.0.0.1", "success": false, "username": "sdfsd" } }, { "id": 24, "globalID": 24, "time": "2025-04-11T15:03:04.423403976+02:00", "type": "LoginAttempt", "data": { "proxy": "127.0.0.1", "remoteAddress": "192.168.178.5", "success": false, "username": "sdfsd" } } ``` ### Documentation https://github.com/syncthing/docs/pull/907 --------- Co-authored-by: Jakob Borg <jakob@kastelo.net>
72 lines
1.6 KiB
Go
72 lines
1.6 KiB
Go
// Copyright (C) 2015 The Syncthing Authors.
|
|
//
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
// You can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
package osutil
|
|
|
|
import (
|
|
"net"
|
|
"strings"
|
|
)
|
|
|
|
// GetInterfaceAddrs returns the IP networks of all interfaces that are up.
|
|
// Point-to-point interfaces are exluded unless includePtP is true.
|
|
func GetInterfaceAddrs(includePtP bool) ([]*net.IPNet, error) {
|
|
intfs, err := net.Interfaces()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var addrs []net.Addr
|
|
|
|
for _, intf := range intfs {
|
|
if intf.Flags&net.FlagRunning == 0 {
|
|
continue
|
|
}
|
|
if !includePtP && intf.Flags&net.FlagPointToPoint != 0 {
|
|
// Point-to-point interfaces are typically VPNs and similar
|
|
// which, for our purposes, do not qualify as LANs.
|
|
continue
|
|
}
|
|
intfAddrs, err := intf.Addrs()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
addrs = append(addrs, intfAddrs...)
|
|
}
|
|
|
|
nets := make([]*net.IPNet, 0, len(addrs))
|
|
|
|
for _, addr := range addrs {
|
|
net, ok := addr.(*net.IPNet)
|
|
if ok {
|
|
nets = append(nets, net)
|
|
}
|
|
}
|
|
return nets, nil
|
|
}
|
|
|
|
func IPFromString(addr string) net.IP {
|
|
// strip the port
|
|
host, _, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
host = addr
|
|
}
|
|
// strip IPv6 zone identifier
|
|
host, _, _ = strings.Cut(host, "%")
|
|
return net.ParseIP(host)
|
|
}
|
|
|
|
func IPFromAddr(addr net.Addr) (net.IP, error) {
|
|
switch a := addr.(type) {
|
|
case *net.TCPAddr:
|
|
return a.IP, nil
|
|
case *net.UDPAddr:
|
|
return a.IP, nil
|
|
default:
|
|
host, _, err := net.SplitHostPort(addr.String())
|
|
return net.ParseIP(host), err
|
|
}
|
|
}
|