Fixes critical bug that allowed access when ips is emtpy and mode == …

…'allow'. 2) Adds minor speed improvements for middleware. 3) Minor spelling and documentation fixes in README.
ryanbillingsley · Jul 13, 2017 · 4adc5dc · 4adc5dc
1 parent b683405
commit 4adc5dc
Show file tree

Hide file tree

Showing 7 changed files with 96 additions and 62 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -14,15 +14,11 @@ Build the libraries:
 
     grunt
 
-Make sure the tests pass:
+**Add tests** for your change. Make sure the tests pass:
 
-    npm test
+    grunt test
 
-Make your change. **Add tests** for your change. Make the tests pass:
-
-    npm test
-
-Update the version number at the top of the README, add your change to the changelog, and update the version in `packet.json`
+Update the version number at the top of the README, add your change to the changelog, and update the version in `package.json`
 
 Push to your fork and [submit a pull request][pr].
 

diff --git a/README.md b/README.md
@@ -156,6 +156,11 @@ This will run `eslint`,`babel`, and `mocha` and output coverage data into `cover
 
 ## Changelog
 
+0.3.1
+ * Fixes critical bug that allowed access when ips is empty and mode == 'allow'.
+ * Adds minor speed improvements for middleware.
+ * Minor spelling and documentation fixes in README
+
 0.3.0
  * Adds the ability to pass IPs by function so that we can dynamically retrieve white/black listed addresses.
 

diff --git a/lib/ipfilter.js b/lib/ipfilter.js
diff --git a/lib/ipfilter.js.map b/lib/ipfilter.js.map
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "express-ipfilter",
   "description": "A light-weight IP address based filtering system",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "author": "BaM Interactive",
   "dependencies": {
     "ip": "~1.1.0",

diff --git a/src/ipfilter.js b/src/ipfilter.js
@@ -44,7 +44,7 @@ var IpDeniedError = require('./deniedError');
 module.exports = function ipfilter(ips, opts) {
   ips = ips || false;
 
-  var ipsIsFunction = _.isFunction(ips);
+  var getIps = _.isFunction(ips) ? ips : function(){ return ips; };
   var logger = function(message){ console.log(message);};
   var settings = _.defaults( opts || {}, {
     mode: 'deny',
@@ -56,10 +56,6 @@ module.exports = function ipfilter(ips, opts) {
     detectIp: getClientIp
   });
 
-  function getIps() {
-    return ipsIsFunction ? ips() : ips;
-  }
-
   function getClientIp(req) {
     var ipAddress;
 
@@ -160,6 +156,11 @@ module.exports = function ipfilter(ips, opts) {
     }
   };
 
+  var error = function(ip, next){
+    var err = new IpDeniedError('Access denied to IP address: ' + ip);
+    return next(err);
+  };
+
   return function(req, res, next) {
     if(settings.excluding.length > 0){
       var results = _.filter(settings.excluding,function(exclude){
@@ -175,11 +176,18 @@ module.exports = function ipfilter(ips, opts) {
       }
     }
 
-    var ip = settings.detectIp(req);
-    // If no IPs were specified, skip
-    // this middleware
     var _ips = getIps();
-    if(!_ips || !_ips.length) { return next(); }
+    if(!_ips || !_ips.length) {
+      if(settings.mode == 'allow'){
+        // ip list is empty, thus no one allowed
+        return error('0.0.0.0/0', next);
+      } else {
+        // there are no blocked ips, skip
+        return next();
+      }
+    }
+
+    var ip = settings.detectIp(req);
 
     if(matchClientIp(ip,req)) {
       // Grant access
@@ -195,7 +203,6 @@ module.exports = function ipfilter(ips, opts) {
       settings.logF('Access denied to IP address: ' + ip);
     }
 
-    var err = new IpDeniedError('Access denied to IP address: ' + ip);
-    return next(err);
+    return error(ip, next);
   };
 };
diff --git a/test/ipfilter.spec.js b/test/ipfilter.spec.js