WAF: Add support for handling IP ranges in allow/block lists

projects/packages/ip/changelog/add-get-ip-addresses-from-string-method

@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Added a utility function to extract an array of IP addresses from a given string.

projects/packages/ip/src/class-utils.php

@@ -167,4 +167,38 @@ public static function ip_address_is_in_range( $ip, $range_low, $range_high ) {
 		return false;
 	}
 
+	/**
+	 * Extracts IP addresses from a given string.
+	 *
+	 * We allow for both, one IP per line or comma-; semicolon; or whitespace-separated lists. This also validates the IP addresses
+	 * and only returns the ones that look valid. IP ranges using the "-" character are also supported.
+	 *
+	 * @param string $ips List of ips - example: "8.8.8.8\n4.4.4.4,2.2.2.2;1.1.1.1 9.9.9.9,5555.5555.5555.5555,1.1.1.10-1.1.1.20".
+	 * @return array List of valid IP addresses. - example based on input example: array('8.8.8.8', '4.4.4.4', '2.2.2.2', '1.1.1.1', '9.9.9.9', '1.1.1.10-1.1.1.20')
+	 */
+	public static function get_ip_addresses_from_string( $ips ) {
+		$ips = (string) $ips;
+		$ips = preg_split( '/[\s,;]/', $ips );
+
+		$result = array();
+
+		foreach ( $ips as $ip ) {
+			// Validate both IP values from the range
+			$range = explode( '-', $ip );
+			if ( count( $range ) === 2 ) {
+				if ( filter_var( $range[0], FILTER_VALIDATE_IP ) !== false || filter_var( $range[1], FILTER_VALIDATE_IP ) !== false ) {
+					$result[] = $ip;
+				}
+				continue;
+			}
+
+			// validate the single IP value
+			if ( filter_var( $ip, FILTER_VALIDATE_IP ) !== false ) {
+				$result[] = $ip;
+			}
+		}
+
+		return $result;
+	}
+
 }

projects/packages/ip/tests/php/test-utils.php

@@ -305,4 +305,45 @@ public function test_ip_address_is_in_range() {
 		$this->assertFalse( Utils::ip_address_is_in_range( $out_range_ip, $range_low, $range_high ) );
 	}
 
+	/**
+	 * Test `get_ip_addresses_from_string`.
+	 * Covers IPv4 and IPv6 addresses, including ranges, concatenated with various delimiters.
+	 *
+	 * @covers ::get_ip_addresses_from_string
+	 */
+	public function test_get_ip_addresses_from_string() {
+		$string = '';
+
+		$delimiters       = array( "\n", ',', ';', ' ' );
+		$delimiters_index = 0;
+
+		$ips = array(
+			// IPv4
+			'1.1.1.1',
+			'2.2.2.2',
+			'3.3.3.3',
+			'4.4.4.4',
+			'5.5.5.5-6.6.6.6',
+			// IPv6
+			'2001:db8::1',
+			'2001:db8::2',
+			'2001:db8::3',
+			'2001:db8::4',
+			'2001:db8::5-2001:db8::6',
+		);
+
+		// Generate a string that includes all IPs and delimiters.
+		foreach ( $ips as $ips_index => $ip ) {
+			$string .= $ip;
+
+			$is_last_loop = $ips_index === count( $ips ) - 1;
+			if ( ! $is_last_loop ) {
+				$string          .= $delimiters[ $delimiters_index ];
+				$delimiters_index = count( $delimiters ) === $delimiters_index + 1 ? 0 : $delimiters_index + 1;
+			}
+		}
+
+		$this->assertEquals( $ips, Utils::get_ip_addresses_from_string( $string ) );
+	}
+
 }

projects/packages/waf/changelog/add-ip-range-support

@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Added support for IP ranges in allow and block lists.

projects/packages/waf/composer.json

@@ -6,6 +6,7 @@
 	"require": {
 		"automattic/jetpack-connection": "@dev",
 		"automattic/jetpack-constants": "@dev",
+		"automattic/jetpack-ip": "@dev",
 		"automattic/jetpack-status": "@dev",
 		"wikimedia/aho-corasick": "^1.0"
 	},
@@ -56,7 +57,7 @@
 			"link-template": "https://github.com/Automattic/jetpack-waf/compare/v${old}...v${new}"
 		},
 		"branch-alias": {
-			"dev-trunk": "0.9.x-dev"
+			"dev-trunk": "0.10.x-dev"
 		}
 	},
 	"config": {

projects/packages/waf/src/class-waf-rules-manager.php

@@ -10,6 +10,7 @@
 namespace Automattic\Jetpack\Waf;
 
 use Automattic\Jetpack\Connection\Client;
+use Automattic\Jetpack\IP\Utils as IP_Utils;
 use Jetpack_Options;
 use WP_Error;
 
@@ -259,28 +260,6 @@ public static function generate_automatic_rules() {
 		update_option( self::AUTOMATIC_RULES_LAST_UPDATED_OPTION_NAME, time() );
 	}
 
-	/**
-	 * We allow for both, one IP per line or comma-; semicolon; or whitespace-separated lists. This also validates the IP addresses
-	 * and only returns the ones that look valid.
-	 *
-	 * @param string $ips List of ips - example: "8.8.8.8\n4.4.4.4,2.2.2.2;1.1.1.1 9.9.9.9,5555.5555.5555.5555".
-	 * @return array List of valid IP addresses. - example based on input example: array('8.8.8.8', '4.4.4.4', '2.2.2.2', '1.1.1.1', '9.9.9.9')
-	 */
-	public static function ip_option_to_array( $ips ) {
-		$ips = (string) $ips;
-		$ips = preg_split( '/[\s,;]/', $ips );
-
-		$result = array();
-
-		foreach ( $ips as $ip ) {
-			if ( filter_var( $ip, FILTER_VALIDATE_IP ) !== false ) {
-				$result[] = $ip;
-			}
-		}
-
-		return $result;
-	}
-
 	/**
 	 * Generates the rules.php script
 	 *
@@ -309,8 +288,8 @@ public static function generate_ip_rules() {
 			$wp_filesystem->mkdir( dirname( $block_ip_file_path ) );
 		}
 
-		$allow_list = self::ip_option_to_array( get_option( self::IP_ALLOW_LIST_OPTION_NAME ) );
-		$block_list = self::ip_option_to_array( get_option( self::IP_BLOCK_LIST_OPTION_NAME ) );
+		$allow_list = IP_Utils::get_ip_addresses_from_string( get_option( self::IP_ALLOW_LIST_OPTION_NAME ) );
+		$block_list = IP_Utils::get_ip_addresses_from_string( get_option( self::IP_BLOCK_LIST_OPTION_NAME ) );
 
 		$allow_rules_content = '';
 		// phpcs:disable WordPress.PHP.DevelopmentFunctions

projects/packages/waf/src/class-waf-runtime.php

@@ -663,14 +663,32 @@ function ( $item ) {
 	}
 
 	/**
-	 * Verifies is ip from request is in an array.
+	 * Verifies if the IP from the current request is in an array.
 	 *
-	 * @param array $array Array to verify ip against.
+	 * @param array $array Array of IP addresses to verify the request IP against.
+	 * @return bool
 	 */
 	public function is_ip_in_array( $array ) {
-		$real_ip = $this->request->get_real_user_ip_address();
+		$real_ip      = $this->request->get_real_user_ip_address();
+		$array_length = count( $array );
+
+		for ( $i = 0; $i < $array_length; $i++ ) {
+			// Check if the IP matches a provided range.
+			$range = explode( $array[ $i ], '-' );
+			if ( count( $range ) === 2 ) {
+				if ( IP_Utils::ip_address_is_in_range( $real_ip, $range[0], $range[1] ) ) {
+					return true;
+				}
+				continue;
+			}
 
-		return in_array( $real_ip, $array, true );
+			// Check if the IP is an exact match.
+			if ( $real_ip === $array[ $i ] ) {
+				return true;
+			}
+		}
+
+		return false;
 	}
 
 	/**

projects/packages/waf/src/class-waf-stats.php

@@ -7,6 +7,8 @@
 
 namespace Automattic\Jetpack\Waf;
 
+use Automattic\Jetpack\IP\Utils as IP_Utils;
+
 /**
  * Retrieves WAF stats.
  */
@@ -24,7 +26,7 @@ public static function get_ip_allow_list_count() {
 			return 0;
 		}
 
-		$results = Waf_Rules_Manager::ip_option_to_array( $ip_allow_list );
+		$results = IP_Utils::get_ip_addresses_from_string( $ip_allow_list );
 
 		return count( $results );
 	}
@@ -41,7 +43,7 @@ public static function get_ip_block_list_count() {
 			return 0;
 		}
 
-		$results = Waf_Rules_Manager::ip_option_to_array( $ip_block_list );
+		$results = IP_Utils::get_ip_addresses_from_string( $ip_block_list );
 
 		return count( $results );
 	}

projects/plugins/jetpack/changelog/add-waf-ip-ranges

@@ -0,0 +1,5 @@
+Significance: patch
+Type: other
+Comment: Updated composer.lock.
+
+

projects/plugins/protect/changelog/add-waf-ip-ranges

@@ -0,0 +1,5 @@
+Significance: patch
+Type: changed
+Comment: Updated composer.lock.
+
+