Merge pull request #7736 from shirady/verify-ip-address

NSFS | NC | Verify IP Address When Passing IP List
noobaa · Jan 18, 2024 · d7b172c · d7b172c
2 parents df9d258 + e251251
commit d7b172c
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 10 deletions.
diff --git a/src/cmd/manage_nsfs.js b/src/cmd/manage_nsfs.js
@@ -5,6 +5,7 @@ const dbg = require('../util/debug_module')(__filename);
 const _ = require('lodash');
 const path = require('path');
 const minimist = require('minimist');
+const net = require('net');
 const config = require('../../config');
 const P = require('../util/promise');
 const nb_native = require('../util/nb_native');
@@ -833,6 +834,7 @@ async function whitelist_ips_management(args) {
     validate_whitelist_arg(ips);
 
     const whitelist_ips = JSON.parse(ips);
+    verify_whitelist_ips(whitelist_ips);
     const config_path = path.join(config_root, 'config.json');
     try {
         const config_data = require(config_path);
@@ -858,6 +860,15 @@ function validate_whitelist_arg(ips) {
     }
 }
 
+function verify_whitelist_ips(ips_to_validate) {
+    for (const ip_to_validate of ips_to_validate) {
+        if (net.isIP(ip_to_validate) === 0) {
+            const detail_msg = `IP address list has an invalid IP address ${ip_to_validate}`;
+            throw_cli_error(ManageCLIError.InvalidWhiteListIPFormat, detail_msg);
+        }
+    }
+}
+
 function _validate_access_keys(argv) {
     // using the access_key flag requires also using the secret_key flag
     if (!is_undefined(argv.access_key) && is_undefined(argv.secret_key)) throw_cli_error(ManageCLIError.MissingAccountSecretKeyFlag);

diff --git a/src/test/unit_tests/jest_tests/test_nc_nsfs_config_schema_validation.test.js b/src/test/unit_tests/jest_tests/test_nc_nsfs_config_schema_validation.test.js
@@ -36,8 +36,8 @@ describe('schema validation NC NSFS config', () => {
                 ALLOW_HTTP: true,
                 NSFS_WHITELIST: [
                     '127.0.0.1',
-                    '192.000.10.000',
-                    '3002:0bd6:0000:0000:0000:ee00:0033:000'
+                    '0000:0000:0000:0000:0000:ffff:7f00:0002',
+                    '::ffff:7f00:3'
                 ],
             };
             nsfs_schema_utils.validate_nsfs_config_schema(config_data);

diff --git a/src/test/unit_tests/test_nc_nsfs_cli.js b/src/test/unit_tests/test_nc_nsfs_cli.js
@@ -654,24 +654,33 @@ mocha.describe('manage_nsfs cli', function() {
         this.timeout(50000); // eslint-disable-line no-invalid-this
         const type = nc_nsfs_manage_entity_types.IPWHITELIST;
         const config_options = { ENDPOINT_FORKS: 1, UV_THREADPOOL_SIZE: 4 };
-        const ips = ['127.0.0.1', '192.000.10.000', '3002:0bd6:0000:0000:0000:ee00:0033:999'];
         mocha.before(async () => {
             await write_config_file(config_root, '', 'config', config_options);
         });
         mocha.after(async () => {
             fs_utils.file_delete(path.join(config_root, 'config.json'));
         });
 
-        mocha.it('cli add whitelist ips first time', async function() {
+        mocha.it('cli add whitelist ips first time (IPV4 format)', async function() {
+            const ips = ['127.0.0.1']; // IPV4 format
             const res = await exec_manage_cli(type, '', { config_root, ips: JSON.stringify(ips) });
             config_options.NSFS_WHITELIST = ips;
             const config_data = await read_config_file(config_root, '', 'config');
             assert_response('', type, res, ips);
             assert_whitelist(config_data, config_options);
         });
 
-        mocha.it('cli update whitelist ips', async function() {
-            ips.push('100.000.00.000');
+        mocha.it('cli update whitelist ips (IPV6 expanded format)', async function() {
+            const ips = ['0000:0000:0000:0000:0000:ffff:7f00:0002']; // IPV6 expanded format
+            const res = await exec_manage_cli(type, '', { config_root, ips: JSON.stringify(ips) });
+            config_options.NSFS_WHITELIST = ips;
+            const config_data = await read_config_file(config_root, '', 'config');
+            assert_response('', type, res, ips);
+            assert_whitelist(config_data, config_options);
+        });
+
+        mocha.it('cli update whitelist ips (IPV6 compressed format)', async function() {
+            const ips = ['::ffff:7f00:3']; // IPV6 compressed format
             const res = await exec_manage_cli(type, '', { config_root, ips: JSON.stringify(ips) });
             config_options.NSFS_WHITELIST = ips;
             const config_data = await read_config_file(config_root, '', 'config');
@@ -682,22 +691,44 @@ mocha.describe('manage_nsfs cli', function() {
         mocha.it('cli whitelist ips is empty', async function() {
             try {
                 await exec_manage_cli(type, '', { config_root, ips: '' });
-                config_options.NSFS_WHITELIST = ips;
-                assert.fail('should have failed withwhitelist ips should not be empty.');
+                assert.fail('should have failed with whitelist ips should not be empty.');
             } catch (err) {
                 assert_error(err, ManageCLIError.MissingWhiteListIPFlag);
             }
         });
 
         mocha.it('cli whitelist formate is invalid', async function() {
             try {
-                await exec_manage_cli(type, '', { config_root, ips: JSON.stringify(ips) + 'invalid' });
-                config_options.NSFS_WHITELIST = ips;
+                const ips = ['127.0.0.1'];
+                const ip_list_invalid_format = JSON.stringify(ips) + 'invalid';
+                await exec_manage_cli(type, '', { config_root, ips: ip_list_invalid_format });
                 assert.fail('should have failed with whitelist ips with invalid body format');
             } catch (err) {
                 assert_error(err, ManageCLIError.InvalidWhiteListIPFormat);
             }
         });
+
+        mocha.it('cli whitelist has invalid IP address (one item in the list)', async function() {
+            const ip_list_with_invalid_ip_address = ['10.1.11']; // missing a class in the IP address
+            try {
+                await exec_manage_cli(type, '', { config_root, ips: ip_list_with_invalid_ip_address});
+                assert.fail('should have failed with whitelist ips with invalid ip address');
+            } catch (err) {
+                assert_error(err, ManageCLIError.InvalidWhiteListIPFormat);
+            }
+        });
+
+        mocha.it('cli whitelist has invalid IP address (a couple of items in the list)', async function() {
+            const invalid_ip_address = '10.1.11'; // missing a class in the IP address
+            const ips = ['127.0.0.1', '::ffff:7f00:3', '0000:0000:0000:0000:0000:ffff:7f00:0002'];
+            ips.push(invalid_ip_address);
+            try {
+                await exec_manage_cli(type, '', { config_root, ips: ips});
+                assert.fail('should have failed with whitelist ips with invalid ip address');
+            } catch (err) {
+                assert_error(err, ManageCLIError.InvalidWhiteListIPFormat);
+            }
+        });
     });
 
 });