feat: handle the case where the source IP is invalid

danroc · Oct 31, 2024 · 93af95f · 93af95f
1 parent 7e3ac74
commit 93af95f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/pkg/database/resolver.go b/pkg/database/resolver.go
@@ -96,21 +96,15 @@ func resolve(ip net.IP, countryDB *Database, asnDB *Database) *Resolution {
 
 // Resolve resolves the given IP address to a country code and an ASN.
 //
-// If the IP is nil, the function returns nil. It is the caller's
-// responsibility to check if the IP is valid.
+// It is the caller's responsibility to check if the IP is valid.
 //
 // If the country of the IP is not found, the CountryCode field of the result
-// will be an empty string.
-//
-// If the ASN of the IP is not found, the ASN field of the result will be zero.
+// will be an empty string. If the ASN of the IP is not found, the ASN field of
+// the result will be zero.
 //
 // The Organization field is present for informational purposes only. It is not
 // used by the rules engine.
 func (r *Resolver) Resolve(ip net.IP) *Resolution {
-	if ip == nil {
-		return nil
-	}
-
 	if utils.IsIPv4(ip) {
 		return resolve(ip, r.countryDBv4, r.asnDBv4)
 	}

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -53,7 +53,18 @@ func getForwardAuth(
 		return
 	}
 
+	// For sanity, we check if the source IP is a valid IP address. If the IP
+	// is invalid, we deny the request regardless of the default policy.
 	sourceIP := net.ParseIP(origin)
+	if sourceIP == nil {
+		log.WithFields(log.Fields{
+			FieldRequestedDomain: domain,
+			FieldSourceIP:        origin,
+		}).Warn("Invalid source IP")
+		writer.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	resolution := resolver.Resolve(sourceIP)
 
 	query := rules.Query{