fix(proxy): Fix whitelist default policy denial (#42)

* fix(proxy): Fix whitelist default policy denial * fix(proxy): Fix whitelist default policy denial * fix(proxy): Fix whitelist default policy denial
0x676e67 · May 14, 2024 · 0a102a3 · 0a102a3
1 parent 95dfa03
commit 0a102a3
Show file tree

Hide file tree

Showing 4 changed files with 83 additions and 15 deletions.
diff --git a/main.py b/main.py
@@ -0,0 +1,50 @@
+import ipaddress
+import random
+import hashlib
+import string
+
+def generate_ip_from_cidr(cidr, session_str):
+    # Parse the CIDR notation
+    network = ipaddress.IPv6Network(cidr)
+    network_address = int(network.network_address)
+    netmask = int(network.netmask)
+
+    # Combine the CIDR range string and session string
+    combined_str = f"{cidr}-{session_str}"
+
+    # Generate a hash value from the combined string to use as a seed
+    seed = int(hashlib.sha1(combined_str.encode()).hexdigest(), 16)
+    random.seed(seed)
+
+    # Generate a random offset within the network range
+    offset = random.randint(0, netmask ^ 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
+
+    # Calculate the IP address using the network address and offset
+    ip_address_int = network_address + offset
+    ip_address = ipaddress.IPv6Address(ip_address_int)
+
+    return ip_address
+
+def session_generator(size, chars=string.ascii_uppercase + string.digits + string.ascii_lowercase):
+    random.seed(size)
+    return ''.join(random.choice(chars) for _ in range(size))
+
+# Example usage
+cidr = "2001:db8::/48"
+session_len = 1000
+sessions = []
+
+for x in range(session_len):
+    sessions.append(session_generator(x))
+
+result = []
+for x in sessions:
+    result.append(generate_ip_from_cidr(cidr, x))
+
+check = []
+for x in sessions:
+    check.append(generate_ip_from_cidr(cidr, x))
+
+for x in result:
+    if x not in check:
+        print(x)
diff --git a/src/proxy/auth.rs b/src/proxy/auth.rs
@@ -3,6 +3,9 @@ use std::net::IpAddr;
 
 /// Trait for checking if an IP address is in the whitelist.
 pub trait Whitelist {
+    /// Checks is empty.
+    fn is_empty(&self) -> bool;
+
     /// Checks if the given IP address is in the whitelist.
     fn contains(&self, ip: IpAddr) -> bool;
 }

diff --git a/src/proxy/http/auth.rs b/src/proxy/http/auth.rs
@@ -28,19 +28,24 @@ pub enum Authenticator {
 }
 
 impl Whitelist for Authenticator {
+    fn is_empty(&self) -> bool {
+        let whitelist = match self {
+            Authenticator::None(whitelist) => whitelist,
+            Authenticator::Password { whitelist, .. } => whitelist,
+        };
+
+        // Check if the whitelist is empty
+        whitelist.is_empty()
+    }
+
     fn contains(&self, ip: IpAddr) -> bool {
         let whitelist = match self {
             Authenticator::None(whitelist) => whitelist,
             Authenticator::Password { whitelist, .. } => whitelist,
         };
 
         // If whitelist is empty, allow all
-        if whitelist.is_empty() {
-            return true;
-        } else {
-            // Check if the ip is in the whitelist
-            return whitelist.contains(&ip);
-        }
+        whitelist.contains(&ip)
     }
 }
 
@@ -53,7 +58,8 @@ impl Authenticator {
         match self {
             Authenticator::None(..) => {
                 // If whitelist is empty, allow all
-                if !self.contains(socket.ip()) {
+                let is_equal = self.contains(socket.ip()) || self.is_empty();
+                if !is_equal {
                     tracing::warn!("Unauthorized access from {}", socket);
                     return Err(AuthError::Unauthorized);
                 }

diff --git a/src/proxy/socks5/server/auth.rs b/src/proxy/socks5/server/auth.rs
@@ -32,14 +32,14 @@ impl NoAuth {
 }
 
 impl Whitelist for NoAuth {
+    fn is_empty(&self) -> bool {
+        // Check if the whitelist is empty
+        self.0.is_empty()
+    }
+
     fn contains(&self, ip: IpAddr) -> bool {
         // If whitelist is empty, allow all
-        if self.0.is_empty() {
-            return true;
-        } else {
-            // Check if the ip is in the whitelist
-            return self.0.contains(&ip);
-        }
+        self.0.contains(&ip)
     }
 }
 
@@ -53,8 +53,12 @@ impl Auth for NoAuth {
 
     async fn execute(&self, stream: &mut TcpStream) -> Self::Output {
         let socket = stream.peer_addr()?;
-        if !self.contains(socket.ip()) {
-            return Err(Error::new(ErrorKind::Other, "Ip is not in the whitelist"));
+        let is_equal = self.contains(socket.ip()) || self.is_empty();
+        if !is_equal {
+            return Err(Error::new(
+                ErrorKind::Other,
+                format!("Address {} is not in the whitelist", socket.ip()),
+            ));
         }
         Ok((true, Extensions::None))
     }
@@ -67,6 +71,11 @@ pub struct Password {
 }
 
 impl Whitelist for Password {
+    fn is_empty(&self) -> bool {
+        // Check if the whitelist is empty
+        self.whitelist.is_empty()
+    }
+
     fn contains(&self, ip: IpAddr) -> bool {
         // If whitelist is empty, allow all
         if self.whitelist.is_empty() {