Class: ActionDispatch::RemoteIp::GetIp

Inherits:
Object
  • Object
show all
Defined in:
actionpack/lib/action_dispatch/middleware/remote_ip.rb

Overview

The GetIp class exists as a way to defer processing of the request data into an actual IP address. If the ActionDispatch::Request#remote_ip method is called, this class will calculate the value and then memoize it.

Constant Summary collapse

VALID_IP =

This constant contains a regular expression that validates every known form of IP v4 and v6 address, with or without abbreviations, adapted from this gist.

%r{
  (^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[0-9]{1,2})(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[0-9]{1,2})){3}$)                                                        | # ip v4
  (^(
  (([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})                                                                                                                   | # ip v6 not abbreviated
  (([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})                                                                                                                  | # ip v6 with double colon in the end
  (([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})                                                                                              | # - ip addresses v6
  (([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})                                                                                          | # - with
  (([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})                                                                                          | # - double colon
  (([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})                                                                                          | # - in the middle
  (([0-9A-Fa-f]{1,4}:){6} ((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3} (\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))                            | # ip v6 with compatible to v4
  (([0-9A-Fa-f]{1,4}:){1,5}:((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))                           | # ip v6 with compatible to v4
  (([0-9A-Fa-f]{1,4}:){1}:([0-9A-Fa-f]{1,4}:){0,4}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))     | # ip v6 with compatible to v4
  (([0-9A-Fa-f]{1,4}:){0,2}:([0-9A-Fa-f]{1,4}:){0,3}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))   | # ip v6 with compatible to v4
  (([0-9A-Fa-f]{1,4}:){0,3}:([0-9A-Fa-f]{1,4}:){0,2}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))   | # ip v6 with compatible to v4
  (([0-9A-Fa-f]{1,4}:){0,4}:([0-9A-Fa-f]{1,4}:){1}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))     | # ip v6 with compatible to v4
  (::([0-9A-Fa-f]{1,4}:){0,5}((\b((25[0-5])|(1\d{2})|(2[0-4]\d) |(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))                         | # ip v6 with compatible to v4
  ([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})                                                                                               | # ip v6 with compatible to v4
  (::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})                                                                                                               | # ip v6 with double colon at the beginning
  (([0-9A-Fa-f]{1,4}:){1,7}:)                                                                                                                                  # ip v6 without ending
  )$)
}x

Instance Method Summary collapse

Constructor Details

#initialize(env, middleware) ⇒ GetIp

Returns a new instance of GetIp.



109
110
111
112
113
# File 'actionpack/lib/action_dispatch/middleware/remote_ip.rb', line 109

def initialize(env, middleware)
  @env      = env
  @check_ip = middleware.check_ip
  @proxies  = middleware.proxies
end

Instance Method Details

#calculate_ipObject

Sort through the various IP address headers, looking for the IP most likely to be the address of the actual remote client making this request.

REMOTE_ADDR will be correct if the request is made directly against the Ruby process, on e.g. Heroku. When the request is proxied by another server like HAProxy or Nginx, the IP address that made the original request will be put in an X-Forwarded-For header. If there are multiple proxies, that header may contain a list of IPs. Other proxy services set the Client-Ip header instead, so we check that too.

As discussed in this post about Rails IP Spoofing, while the first IP in the list is likely to be the “originating” IP, it could also have been set by the client maliciously.

In order to find the first address that is (probably) accurate, we take the list of IPs, remove known and trusted proxies, and then take the last address left, which was presumably set by one of those proxies.



133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# File 'actionpack/lib/action_dispatch/middleware/remote_ip.rb', line 133

def calculate_ip
  # Set by the Rack web server, this is a single value.
  remote_addr = ips_from('REMOTE_ADDR').last

  # Could be a CSV list and/or repeated headers that were concatenated.
  client_ips    = ips_from('HTTP_CLIENT_IP').reverse
  forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR').reverse

  # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
  # If they are both set, it means that this request passed through two
  # proxies with incompatible IP header conventions, and there is no way
  # for us to determine which header is the right one after the fact.
  # Since we have no idea, we give up and explode.
  should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
  if should_check_ip && !forwarded_ips.include?(client_ips.last)
    # We don't know which came from the proxy, and which from the user
    raise IpSpoofAttackError, "IP spoofing attack?! " +
      "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect} " +
      "HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
  end

  # We assume these things about the IP headers:
  #
  #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
  #   - Client-Ip is propagated from the outermost proxy, or is blank
  #   - REMOTE_ADDR will be the IP that made the request to Rack
  ips = [forwarded_ips, client_ips, remote_addr].flatten.compact

  # If every single IP option is in the trusted list, just return REMOTE_ADDR
  filter_proxies(ips).first || remote_addr
end

#to_sObject

Memoizes the value returned by #calculate_ip and returns it for ActionDispatch::Request to use.



167
168
169
# File 'actionpack/lib/action_dispatch/middleware/remote_ip.rb', line 167

def to_s
  @ip ||= calculate_ip
end