Check route level access before we check if IP is in bypass list

AikidoSec · Jan 27, 2025 · 0033b0f · 0033b0f
1 parent 38e9423
commit 0033b0f
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 15 deletions.
diff --git a/end2end/tests/hono-xml-blocklists.test.js b/end2end/tests/hono-xml-blocklists.test.js
@@ -21,7 +21,18 @@ t.beforeEach(async () => {
       Authorization: token,
     },
     body: JSON.stringify({
-      allowedIPAddresses: ["1.3.2.1"],
+      allowedIPAddresses: ["1.3.2.1", "1.3.2.2"],
+      endpoints: [
+        {
+          route: "/admin",
+          method: "GET",
+          forceProtectionOff: false,
+          allowedIPAddresses: ["1.3.2.1"],
+          rateLimiting: {
+            enabled: false,
+          },
+        },
+      ],
     }),
   });
   t.same(config.status, 200);
@@ -244,6 +255,24 @@ t.test("it does not block bypass IP if in blocklist", (t) => {
         signal: AbortSignal.timeout(5000),
       });
       t.same(resp1.status, 200);
+
+      const resp2 = await fetch("http://127.0.0.1:4004/admin", {
+        headers: {
+          "X-Forwarded-For": "1.3.2.1",
+        },
+      });
+      t.same(resp2.status, 200);
+
+      const resp3 = await fetch("http://127.0.0.1:4004/admin", {
+        headers: {
+          "X-Forwarded-For": "1.3.2.2",
+        },
+      });
+      t.same(resp3.status, 403);
+      t.same(
+        await resp3.text(),
+        `Your IP address is not allowed to access this resource. (Your IP: 1.3.2.2)`
+      );
     })
     .catch((error) => {
       t.fail(error);

diff --git a/library/sources/http-server/checkIfRequestIsBlocked.ts b/library/sources/http-server/checkIfRequestIsBlocked.ts
@@ -26,6 +26,20 @@ export function checkIfRequestIsBlocked(
     return false;
   }
 
+  if (!ipAllowedToAccessRoute(context, agent)) {
+    res.statusCode = 403;
+    res.setHeader("Content-Type", "text/plain");
+
+    let message = "Your IP address is not allowed to access this resource.";
+    if (context.remoteAddress) {
+      message += ` (Your IP: ${escapeHTML(context.remoteAddress)})`;
+    }
+
+    res.end(message);
+
+    return true;
+  }
+
   const isAllowedIP =
     context.remoteAddress &&
     agent.getConfig().isAllowedIP(context.remoteAddress);
@@ -52,20 +66,6 @@ export function checkIfRequestIsBlocked(
     return true;
   }
 
-  if (!ipAllowedToAccessRoute(context, agent)) {
-    res.statusCode = 403;
-    res.setHeader("Content-Type", "text/plain");
-
-    let message = "Your IP address is not allowed to access this resource.";
-    if (context.remoteAddress) {
-      message += ` (Your IP: ${escapeHTML(context.remoteAddress)})`;
-    }
-
-    res.end(message);
-
-    return true;
-  }
-
   const isUserAgentBlocked =
     context.headers && typeof context.headers["user-agent"] === "string"
       ? agent.getConfig().isUserAgentBlocked(context.headers["user-agent"])

diff --git a/sample-apps/hono-xml/app.js b/sample-apps/hono-xml/app.js
@@ -100,6 +100,16 @@ async function main() {
     return c.json({ success: true });
   });
 
+  app.get("/admin", async (c) => {
+    return c.html(
+      `<html lang="en">
+        <body>
+          <h1>Admin panel</h1>
+        </body>
+      </html>`
+    );
+  });
+
   app.post("/add-fast", async (c) => {
     const body = await c.req.text();