WAF: Add support for handling IP ranges in allow/block lists #29131
Conversation
nateweller
added
[Type] Enhancement
|
Are you an Automattician? You can now test your Pull Request on WordPress.com. On your sandbox, run to get started. More details: p9dueE-5Nn-p2 |
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available. Once your PR is ready for review, check one last time that all required checks (other than "Required review") appearing at the bottom of this PR are passing or skipped. Jetpack plugin:
Protect plugin:
|
github-actions
bot
added
[Plugin] Jetpack
| foreach ( $ips as $ips_index => $ip ) { | ||
| $string .= $ip; | ||
|
|
||
| $is_last_loop = $ips_index === count( $ips ) - 1; | ||
| if ( ! $is_last_loop ) { | ||
| $string .= $delimiters[ $delimiters_index ]; | ||
| $delimiters_index = count( $delimiters ) === $delimiters_index + 1 ? 0 : $delimiters_index + 1; | ||
| } | ||
| } |
There was a problem hiding this comment.
I'd certainly prefer if our expectation was hardcoded here, because this makes it pretty hard to understand what exactly we are expecting.
There was a problem hiding this comment.
Thanks for checking this out Kolja! Good point - it is much more understandable by hardcoding it: 677b08d
| // Validate both IP values from the range | ||
| $range = explode( '-', $ip ); | ||
| if ( count( $range ) === 2 ) { | ||
| if ( filter_var( $range[0], FILTER_VALIDATE_IP ) !== false || filter_var( $range[1], FILTER_VALIDATE_IP ) !== false ) { |
There was a problem hiding this comment.
I think here we'll want && over || to determine that both the starting and ending addresses are valid. Otherwise, I believe things like 12.12.12.1-not.a.valid.ip and not.a.valid.ip-12.12.12.5 will pass through the filter.
I also wonder, during this filtering process, if is there anything else we need to check for as far as inaccuracies go before passing the range as valid. For example, is $range[0] in fact lower than, and not equal to $range[1]?
There was a problem hiding this comment.
Nice catch, thanks Dean - I've added some additional validation which should cover everything you've mentioned: f4c2215 👍
nateweller
added
[Status] Needs Review
Thanks Dean! I'm now just trying to figure out why the |
There was a problem hiding this comment.
This works for me 👍 The wpcom teamcity failures are unrelated. More discussion here.
|
Thanks all! |
github-actions
bot
removed
the
[Status] Needs Review
This PR introduces support for IP ranges in the firewall allow and block lists.
Ranges can be denoted by a dash
-between two IP addresses. For example,1.2.3.4-5.6.7.8or2001:0db8:85a3:0000:0000:0000:0000:0001-2001:0db8:85a3:0000:0000:0000:0000:9999Proposed changes:
Waf_Runner::ip_option_to_array()in favor of a newIP\Utils::get_ip_addresses_from_string()method, which takes the existingip_option_to_array()code and adds support for IP ranges (i.e. "1.1.1.1-2.2.2.2").IP\Utils::validate_ip_range()function to ensure the given IP addresses for a range are valid and ordered correctly.Waf_Runtime::is_ip_in_array()to support IP ranges.Other information:
Jetpack product discussion
#28633 (comment)
Does this pull request change what data or activity we track or use?
No
Testing instructions:
wp-content/jetpack-waf/rules/block-ip.phpnow includes the range in$waf_block_list.