Proposal to add ability to use CIDR signatures for IP addresses in coldbox rules

box.json

@@ -25,7 +25,8 @@
     "dependencies":{
         "jwt-cfml":"^1.0.0",
         "cbauth":"^6.0.0",
-        "cbcsrf":"^3.0.0"
+        "cbcsrf":"^3.0.0",
+        "ip":"^1.0.0"
     },
     "devDependencies":{
         "commandbox-cfformat":"*",
@@ -62,6 +63,7 @@
     "installPaths":{
         "jwt-cfml":"modules/jwtcfml/",
         "cbauth":"modules/cbauth/",
-        "cbcsrf":"modules/cbcsrf/"
+        "cbcsrf":"modules/cbcsrf/",
+        "ip":"modules/ip/"
     }
 }

interceptors/Security.cfc

@@ -15,6 +15,7 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	property name="cbSecurity"          inject="@cbSecurity";
 	property name="invalidEventHandler" inject="coldbox:setting:invalidEventHandler";
 	property name="DBLogger"            inject="DBLogger@cbsecurity";
+	property name="ipHelper"            inject="ip@ip";
 
 	/**
 	 * The reference to the security validator for this firewall. One-to-One relationship.
@@ -25,6 +26,7 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	 * Configure the security firewall
 	 */
 	function configure(){
+
 		// Shorthand for rules
 		if ( isArray( variables.properties.firewall.rules ) ) {
 			variables.properties.firewall.rules = variables.cbSecurity
@@ -835,12 +837,28 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	 * @allowedIPs The allowedIPs in the rule
 	 */
 	private boolean function isValidIP( required allowedIPs ){
-		// Nothing or ALL
-		if ( !len( arguments.allowedIPs ) || arguments.allowedIPs == "*" ) {
+		var ipList = !len( arguments.allowedIPs ) ? "*" : arguments.allowedIPs;
+
+		if ( ipList eq "*" ) {
 			return true;
 		}
-		// Else we need to test the ip list against the actual IP
-		return listFindNoCase( arguments.allowedIPs, variables.cbSecurity.getRealIP() );
+
+		ipHelper.setLoadRange(false);
+		var ipRegex = "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$";
+		var realIp  = variables.cbSecurity.getRealIP();
+		var ipArray = listToArray( ipList ).map( ( v ) => replaceNoCase( v, " ", "", "ALL" ) );
+
+		// find ip address
+		var isIpValid = arrayFind( ipArray, ( val ) => {
+			// if simple ip
+			if ( isValid( type = "regex", value = val, pattern = ipRegex ) ) {
+				return realIp eq val;
+			} else {
+				return ipHelper.v4( val ).isInRange( realIp );
+			}
+		} );
+
+		return isIpValid != 0;
 	}
 
 	/**

server-adobe@2021.json

@@ -5,6 +5,7 @@
         "cfengine":"adobe@2021"
     },
     "web":{
+        "host":"0.0.0.0",
         "http":{
             "port":"60299"
         },
@@ -23,7 +24,7 @@
     "cfconfig":{
         "file":".cfconfig.json"
     },
-	"scripts":{
+    "scripts":{
         "onServerInstall":"cfpm install zip,debugger,mysql"
     }
 }

server-lucee@5.json

@@ -5,6 +5,7 @@
         "cfengine":"lucee@5"
     },
     "web":{
+        "host":"0.0.0.0",
         "http":{
             "port":"60299"
         },

test-harness/config/Coldbox.cfc

@@ -129,6 +129,16 @@
 							"action"      : "redirect",
 							"allowedIPs"  : "10.0.0.1"
 						},
+						// Match only given ips
+						{
+							"whitelist"   : "",
+							"securelist"  : "iptester",
+							"match"       : "event",
+							"roles"       : "",
+							"permissions" : "",
+							"action"      : "block",
+							"allowedIPs"  : "127.0.0.1, 172.17.1.140, 172.17.2.0/24"
+						},					
 						// no action, use global default action
 						{
 							"whitelist"   : "",

test-harness/handlers/IPTester.cfc

@@ -0,0 +1,24 @@
+/**
+ * I am a new handler
+ */
+component {
+
+	/* 
+		coldbox.cfc rules have been configured with the following ips 
+		127.0.0.1, 
+		172.17.1.140, 
+		172.17.2.0/24" 
+	*/
+
+	function index( event, rc, prc ){
+		event.setView( "IPTester/index" );
+	}
+
+
+
+	function fail( event, rc, prc ){
+		event.setView( "IPTester/fail" );
+	}
+
+
+}

test-harness/handlers/Main.cfc

@@ -26,7 +26,7 @@ component {
 	function doLogin( event, rc, prc ){
 		try {
 			var oUser = cbsecure().authenticate( rc.username ?: "", rc.password ?: "" );
-			return "You are logged in!";
+			return "You are logged in! Click <a href='/'>here</a> to go back";
 		} catch ( "InvalidCredentials" e ) {
 			flash.put( "message", "Invalid credentials, try again!" );
 			relocate( "main/login" );

test-harness/layouts/Main.cfm

@@ -1,5 +1,12 @@
 <cfoutput>
 <h1>Module Tester</h1>
+
+
+<!--- should should be singleton --->
+<cfset cbs = wirebox.getInstance( "cbSecurity@cbSecurity" ) />
+cbSecurity remote IP : #cbs.getRealIP()#<br/>
+You are #cbSecure().isLoggedIn() ? '' : '<span style="color:red">NOT</span>'# logged in 
+
 <div>
 	#renderView()#
 </div>

test-harness/views/iptester/fail.cfm

@@ -0,0 +1,4 @@
+<h4>IP Rule Tester</h4>
+<span style="color:red">Your IP Address was NOT allowed</span>
+<br/><br/>
+<a href="/">Go Back</a>

test-harness/views/iptester/index.cfm

@@ -0,0 +1,4 @@
+<h4>IP Rule Tester</h4>
+Your IP Address was allowed
+<br/><br/>
+<a href="/">Go Back</a>

test-harness/views/main/index.cfm

@@ -24,6 +24,9 @@
 	<li>
 		<a href="/putpost">PUT/POST Rejection</a>
 	</li>
+	<li>
+		<a href="/iptester">IP Tester Action</a>
+	</li>	
 	<li>
 		<a href="/noAction">Secure No Action</a>
 	</li>