express-ipfilter - npm Package Compare versions

Comparing version 0.3.0 to 0.3.1

CONTRIBUTING.md

@@ -17,12 +17,8 @@ # Contributing
 
-Make sure the tests pass:
+**Add tests** for your change. Make sure the tests pass:
 
-    npm test
+    grunt test
 
-Make your change. **Add tests** for your change. Make the tests pass:
+Update the version number at the top of the README, add your change to the changelog, and update the version in `package.json`
 
-    npm test
-
-Update the version number at the top of the README, add your change to the changelog, and update the version in `packet.json`
-
 Push to your fork and [submit a pull request][pr].
@@ -29,0 +25,0 @@

lib/ipfilter.js

@@ -50,3 +50,5 @@ /*!
 
-  var ipsIsFunction = _.isFunction(ips);
+  var getIps = _.isFunction(ips) ? ips : function () {
+    return ips;
+  };
   var logger = function logger(message) {
@@ -65,6 +67,2 @@ console.log(message);
 
-  function getIps() {
-    return ipsIsFunction ? ips() : ips;
-  }
-
   function getClientIp(req) {
@@ -170,2 +168,7 @@ var ipAddress;
 
+  var error = function error(ip, next) {
+    var err = new IpDeniedError('Access denied to IP address: ' + ip);
+    return next(err);
+  };
+
   return function (req, res, next) {
@@ -186,10 +189,15 @@ if (settings.excluding.length > 0) {
 
-    var ip = settings.detectIp(req);
-    // If no IPs were specified, skip
-    // this middleware
     var _ips = getIps();
     if (!_ips || !_ips.length) {
-      return next();
+      if (settings.mode == 'allow') {
+        // ip list is empty, thus no one allowed
+        return error('0.0.0.0/0', next);
+      } else {
+        // there are no blocked ips, skip
+        return next();
+      }
     }
 
+    var ip = settings.detectIp(req);
+
     if (matchClientIp(ip, req)) {
@@ -209,6 +217,5 @@ // Grant access
 
-    var err = new IpDeniedError('Access denied to IP address: ' + ip);
-    return next(err);
+    return error(ip, next);
   };
 };
 //# sourceMappingURL=ipfilter.js.map

package.json

 {
   "name": "express-ipfilter",
   "description": "A light-weight IP address based filtering system",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "author": "BaM Interactive",
@@ -6,0 +6,0 @@ "dependencies": {

README.md

@@ -9,3 +9,3 @@ express-ipfilter: A light-weight IP address based filtering system
 ## Version
-0.3.0
+0.3.1
 
@@ -160,2 +160,7 @@ ## Installation
 
+0.3.1
+ * Fixes critical bug that allowed access when ips is empty and mode == 'allow'.
+ * Adds minor speed improvements for middleware.
+ * Minor spelling and documentation fixes in README
+
 0.3.0
@@ -162,0 +167,0 @@ * Adds the ability to pass IPs by function so that we can dynamically retrieve white/black listed addresses.

src/ipfilter.js

@@ -47,3 +47,3 @@ /*!
 
-  var ipsIsFunction = _.isFunction(ips);
+  var getIps = _.isFunction(ips) ? ips : function(){ return ips; };
   var logger = function(message){ console.log(message);};
@@ -60,6 +60,2 @@ var settings = _.defaults( opts || {}, {
 
-  function getIps() {
-    return ipsIsFunction ? ips() : ips;
-  }
-
   function getClientIp(req) {
@@ -165,2 +161,7 @@ var ipAddress;
 
+  var error = function(ip, next){
+    var err = new IpDeniedError('Access denied to IP address: ' + ip);
+    return next(err);
+  };
+
   return function(req, res, next) {
@@ -181,8 +182,15 @@ if(settings.excluding.length > 0){
 
-    var ip = settings.detectIp(req);
-    // If no IPs were specified, skip
-    // this middleware
     var _ips = getIps();
-    if(!_ips || !_ips.length) { return next(); }
+    if(!_ips || !_ips.length) {
+      if(settings.mode == 'allow'){
+        // ip list is empty, thus no one allowed
+        return error('0.0.0.0/0', next);
+      } else {
+        // there are no blocked ips, skip
+        return next();
+      }
+    }
 
+    var ip = settings.detectIp(req);
+
     if(matchClientIp(ip,req)) {
@@ -202,5 +210,4 @@ // Grant access
 
-    var err = new IpDeniedError('Access denied to IP address: ' + ip);
-    return next(err);
+    return error(ip, next);
   };
 };

test/ipfilter.spec.js

@@ -67,43 +67,62 @@ /* global describe, it, beforeEach */
 describe('enforcing IP address whitelist restrictions', function () {
+  describe('with a whitelist with no ips', function () {
+    beforeEach(function () {
+      this.ipfilter = ipfilter([], { mode: 'allow', log: true });
+      this.req = {
+        session: {},
+        headers: [],
+        connection: {
+          remoteAddress: ''
+        }
+      };
+    });
 
-  beforeEach(function () {
-    this.ipfilter = ipfilter(['127.0.0.1'], { log: false, mode: 'allow', allowedHeaders: ['x-forwarded-for'] });
-    this.req = {
-      session: {},
-      headers: [],
-      connection: {
-        remoteAddress: ''
-      }
-    };
+    it('should deny', function (done) {
+      this.req.connection.remoteAddress = '127.0.0.1';
+      checkError(this.ipfilter, this.req, done);
+    });
   });
 
-  it('should allow whitelisted ips', function (done) {
-    this.req.connection.remoteAddress = '127.0.0.1';
-    this.ipfilter(this.req, {}, function () {
-      done();
+  describe('with a whitelist with ips', function () {
+    beforeEach(function () {
+      this.ipfilter = ipfilter(['127.0.0.1'], { log: false, mode: 'allow', allowedHeaders: ['x-forwarded-for'] });
+      this.req = {
+        session: {},
+        headers: [],
+        connection: {
+          remoteAddress: ''
+        }
+      };
     });
-  });
 
-  it('should allow whitelisted forwarded ips', function (done) {
-    this.req.headers['x-forwarded-for'] = '127.0.0.1';
-    this.ipfilter(this.req, {}, function () {
-      done();
+    it('should allow whitelisted ips', function (done) {
+      this.req.connection.remoteAddress = '127.0.0.1';
+      this.ipfilter(this.req, {}, function () {
+        done();
+      });
     });
-  });
 
-  it('should allow whitelisted port ips', function (done) {
-    this.req.connection.remoteAddress = '127.0.0.1:84849';
-    this.ipfilter(this.req, {}, function () {
-      done();
+    it('should allow whitelisted forwarded ips', function (done) {
+      this.req.headers['x-forwarded-for'] = '127.0.0.1';
+      this.ipfilter(this.req, {}, function () {
+        done();
+      });
     });
-  });
 
-  it('should deny all non-whitelisted ips', function (done) {
-    this.req.connection.remoteAddress = '127.0.0.2';
-    checkError(this.ipfilter, this.req, done);
-  });
+    it('should allow whitelisted port ips', function (done) {
+      this.req.connection.remoteAddress = '127.0.0.1:84849';
+      this.ipfilter(this.req, {}, function () {
+        done();
+      });
+    });
 
-  it('should deny all non-whitelisted forwarded ips', function (done) {
-    this.req.headers['x-forwarded-for'] = '127.0.0.2';
-    checkError(this.ipfilter, this.req, done);
+    it('should deny all non-whitelisted ips', function (done) {
+      this.req.connection.remoteAddress = '127.0.0.2';
+      checkError(this.ipfilter, this.req, done);
+    });
+
+    it('should deny all non-whitelisted forwarded ips', function (done) {
+      this.req.headers['x-forwarded-for'] = '127.0.0.2';
+      checkError(this.ipfilter, this.req, done);
+    });
   });
@@ -110,0 +129,0 @@ });

New alerts

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Fixed alerts

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

121031

1.19%

Lines of code

1513

2.02%

Number of lines in readme file

286

1.78%

No dependency changes