Merge commit from fork

* updated default blocklist to include other loopback devices

* changeset

* improved fix

* Update api/src/request/is-denied-ip.ts

Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>

---------

Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com>

.changeset/silly-months-protect.md

@@ -0,0 +1,5 @@
+---
+'@directus/env': patch
+---
+
+Expanded `0.0.0.0` matching of loopback ranges

api/src/request/is-denied-ip.test.ts

@@ -108,7 +108,7 @@ test(`Returns true if IP matches resolved local network interface address`, asyn
  netmask: '255.0.0.0',
  family: 'IPv4',
  mac: '00:00:00:00:00:00',
- internal: true,
+ internal: false,
  cidr: '127.0.0.1/8',
  },
  ],
@@ -118,3 +118,25 @@ test(`Returns true if IP matches resolved local network interface address`, asyn
 
  expect(result).toBe(true);
 });
+
+test(`Returns true if IP matches resolved to local loopback devices`, async () => {
+ vi.mocked(useEnv).mockReturnValue({ IMPORT_IP_DENY_LIST: ['0.0.0.0'] });
+
+ vi.mocked(os.networkInterfaces).mockReturnValue({
+ fa0: undefined,
+ lo0: [
+ {
+ address: '127.0.0.1',
+ netmask: '255.0.0.0',
+ family: 'IPv4',
+ mac: '00:00:00:00:00:00',
+ internal: true,
+ cidr: '127.0.0.1/8',
+ },
+ ],
+ });
+
+ expect(isDeniedIp('127.0.0.1')).toBe(true);
+ expect(isDeniedIp('127.8.16.32')).toBe(true);
+ expect(isDeniedIp('127.127.127.127')).toBe(true);
+});

api/src/request/is-denied-ip.ts

@@ -1,5 +1,6 @@
 import { useEnv } from '@directus/env';
 import os from 'node:os';
+import { matches } from 'ip-matching';
 import { useLogger } from '../logger/index.js';
 import { ipInNetworks } from '../utils/ip-in-networks.js';
 
@@ -29,7 +30,11 @@ export function isDeniedIp(ip: string): boolean {
  if (!networkInfo) continue;
 
  for (const info of networkInfo) {
- if (info.address === ip) return true;
+ if (info.internal && info.cidr) {
+ if (matches(ip, info.cidr)) return true;
+ } else if (info.address === ip) { 
+ return true;
+ }
  }
  }
  }