diff options
| -rw-r--r-- | Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs | 20 | ||||
| -rw-r--r-- | Jellyfin.Api/Middleware/LanFilteringMiddleware.cs | 51 | ||||
| -rw-r--r-- | Jellyfin.Server/Extensions/ApiApplicationBuilderExtensions.cs | 10 | ||||
| -rw-r--r-- | Jellyfin.Server/Startup.cs | 1 | ||||
| -rw-r--r-- | MediaBrowser.Common/Extensions/HttpContextExtensions.cs | 2 | ||||
| -rw-r--r-- | MediaBrowser.Common/Net/INetworkManager.cs | 4 | ||||
| -rw-r--r-- | MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs | 29 | ||||
| -rw-r--r-- | src/Jellyfin.Networking/Manager/NetworkManager.cs | 47 | ||||
| -rw-r--r-- | tests/Jellyfin.Networking.Tests/NetworkParseTests.cs | 43 |
9 files changed, 109 insertions, 98 deletions
diff --git a/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs b/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs index 842a69dd9..a0ed6c812 100644 --- a/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs +++ b/Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs @@ -1,8 +1,10 @@ using System.Net; using System.Threading.Tasks; +using System.Web; using MediaBrowser.Common.Extensions; using MediaBrowser.Common.Net; using Microsoft.AspNetCore.Http; +using Microsoft.Extensions.Logging; namespace Jellyfin.Api.Middleware; @@ -12,14 +14,17 @@ namespace Jellyfin.Api.Middleware; public class IPBasedAccessValidationMiddleware { private readonly RequestDelegate _next; + private readonly ILogger<IPBasedAccessValidationMiddleware> _logger; /// <summary> /// Initializes a new instance of the <see cref="IPBasedAccessValidationMiddleware"/> class. /// </summary> /// <param name="next">The next delegate in the pipeline.</param> - public IPBasedAccessValidationMiddleware(RequestDelegate next) + /// <param name="logger">The logger to log to.</param> + public IPBasedAccessValidationMiddleware(RequestDelegate next, ILogger<IPBasedAccessValidationMiddleware> logger) { _next = next; + _logger = logger; } /// <summary> @@ -32,16 +37,23 @@ public class IPBasedAccessValidationMiddleware { if (httpContext.IsLocal()) { - // Running locally. + // Accessing from the same machine as the server. await _next(httpContext).ConfigureAwait(false); return; } - var remoteIP = httpContext.Connection.RemoteIpAddress ?? IPAddress.Loopback; + var remoteIP = httpContext.GetNormalizedRemoteIP(); - if (!networkManager.HasRemoteAccess(remoteIP)) + var result = networkManager.ShouldAllowServerAccess(remoteIP); + if (result != RemoteAccessPolicyResult.Allow) { // No access from network, respond with 503 instead of 200. + _logger.LogWarning( + "Blocking request to {Path} by {RemoteIP} due to IP filtering rule, reason: {Reason}", + // url-encode to block log injection + HttpUtility.UrlEncode(httpContext.Request.Path), + remoteIP, + result); httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable; return; } diff --git a/Jellyfin.Api/Middleware/LanFilteringMiddleware.cs b/Jellyfin.Api/Middleware/LanFilteringMiddleware.cs deleted file mode 100644 index 35b0a1dd0..000000000 --- a/Jellyfin.Api/Middleware/LanFilteringMiddleware.cs +++ /dev/null @@ -1,51 +0,0 @@ -using System.Net; -using System.Threading.Tasks; -using MediaBrowser.Common.Extensions; -using MediaBrowser.Common.Net; -using MediaBrowser.Controller.Configuration; -using Microsoft.AspNetCore.Http; - -namespace Jellyfin.Api.Middleware; - -/// <summary> -/// Validates the LAN host IP based on application configuration. -/// </summary> -public class LanFilteringMiddleware -{ - private readonly RequestDelegate _next; - - /// <summary> - /// Initializes a new instance of the <see cref="LanFilteringMiddleware"/> class. - /// </summary> - /// <param name="next">The next delegate in the pipeline.</param> - public LanFilteringMiddleware(RequestDelegate next) - { - _next = next; - } - - /// <summary> - /// Executes the middleware action. - /// </summary> - /// <param name="httpContext">The current HTTP context.</param> - /// <param name="networkManager">The network manager.</param> - /// <param name="serverConfigurationManager">The server configuration manager.</param> - /// <returns>The async task.</returns> - public async Task Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager) - { - if (serverConfigurationManager.GetNetworkConfiguration().EnableRemoteAccess) - { - await _next(httpContext).ConfigureAwait(false); - return; - } - - var host = httpContext.GetNormalizedRemoteIP(); - if (!networkManager.IsInLocalNetwork(host)) - { - // No access from network, respond with 503 instead of 200. - httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable; - return; - } - - await _next(httpContext).ConfigureAwait(false); - } -} diff --git a/Jellyfin.Server/Extensions/ApiApplicationBuilderExtensions.cs b/Jellyfin.Server/Extensions/ApiApplicationBuilderExtensions.cs index 6066893de..a56baba33 100644 --- a/Jellyfin.Server/Extensions/ApiApplicationBuilderExtensions.cs +++ b/Jellyfin.Server/Extensions/ApiApplicationBuilderExtensions.cs @@ -69,16 +69,6 @@ namespace Jellyfin.Server.Extensions } /// <summary> - /// Adds LAN based access filtering to the application pipeline. - /// </summary> - /// <param name="appBuilder">The application builder.</param> - /// <returns>The updated application builder.</returns> - public static IApplicationBuilder UseLanFiltering(this IApplicationBuilder appBuilder) - { - return appBuilder.UseMiddleware<LanFilteringMiddleware>(); - } - - /// <summary> /// Enables url decoding before binding to the application pipeline. /// </summary> /// <param name="appBuilder">The <see cref="IApplicationBuilder"/>.</param> diff --git a/Jellyfin.Server/Startup.cs b/Jellyfin.Server/Startup.cs index 688b16935..94ae54a35 100644 --- a/Jellyfin.Server/Startup.cs +++ b/Jellyfin.Server/Startup.cs @@ -208,7 +208,6 @@ namespace Jellyfin.Server mainApp.UseRouting(); mainApp.UseAuthorization(); - mainApp.UseLanFiltering(); mainApp.UseIPBasedAccessValidation(); mainApp.UseWebSocketHandler(); mainApp.UseServerStartupMessage(); diff --git a/MediaBrowser.Common/Extensions/HttpContextExtensions.cs b/MediaBrowser.Common/Extensions/HttpContextExtensions.cs index a1056b7c8..739a53c7a 100644 --- a/MediaBrowser.Common/Extensions/HttpContextExtensions.cs +++ b/MediaBrowser.Common/Extensions/HttpContextExtensions.cs @@ -12,7 +12,7 @@ namespace MediaBrowser.Common.Extensions /// Checks the origin of the HTTP context. /// </summary> /// <param name="context">The incoming HTTP context.</param> - /// <returns><c>true</c> if the request is coming from LAN, <c>false</c> otherwise.</returns> + /// <returns><c>true</c> if the request is coming from the same machine as is running the server, <c>false</c> otherwise.</returns> public static bool IsLocal(this HttpContext context) { return (context.Connection.LocalIpAddress is null diff --git a/MediaBrowser.Common/Net/INetworkManager.cs b/MediaBrowser.Common/Net/INetworkManager.cs index d838144ff..bd785bcbc 100644 --- a/MediaBrowser.Common/Net/INetworkManager.cs +++ b/MediaBrowser.Common/Net/INetworkManager.cs @@ -127,7 +127,7 @@ namespace MediaBrowser.Common.Net /// Checks if <paramref name="remoteIP"/> has access to the server. /// </summary> /// <param name="remoteIP">IP address of the client.</param> - /// <returns><b>True</b> if it has access, otherwise <b>false</b>.</returns> - bool HasRemoteAccess(IPAddress remoteIP); + /// <returns>The result of evaluating the access policy, <c>Allow</c> if it should be allowed.</returns> + RemoteAccessPolicyResult ShouldAllowServerAccess(IPAddress remoteIP); } } diff --git a/MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs b/MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs new file mode 100644 index 000000000..193d37228 --- /dev/null +++ b/MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs @@ -0,0 +1,29 @@ +using System; + +namespace MediaBrowser.Common.Net; + +/// <summary> +/// Result of <see cref="INetworkManager.ShouldAllowServerAccess" />. +/// </summary> +public enum RemoteAccessPolicyResult +{ + /// <summary> + /// The connection should be allowed. + /// </summary> + Allow, + + /// <summary> + /// The connection should be rejected since it is not from a local IP and remote access is disabled. + /// </summary> + RejectDueToRemoteAccessDisabled, + + /// <summary> + /// The connection should be rejected since it is from a blocklisted IP. + /// </summary> + RejectDueToIPBlocklist, + + /// <summary> + /// The connection should be rejected since it is from a remote IP that is not in the allowlist. + /// </summary> + RejectDueToNotAllowlistedRemoteIP, +} diff --git a/src/Jellyfin.Networking/Manager/NetworkManager.cs b/src/Jellyfin.Networking/Manager/NetworkManager.cs index 80a5741df..126d9f15c 100644 --- a/src/Jellyfin.Networking/Manager/NetworkManager.cs +++ b/src/Jellyfin.Networking/Manager/NetworkManager.cs @@ -690,33 +690,42 @@ public class NetworkManager : INetworkManager, IDisposable } /// <inheritdoc/> - public bool HasRemoteAccess(IPAddress remoteIP) + public RemoteAccessPolicyResult ShouldAllowServerAccess(IPAddress remoteIP) { var config = _configurationManager.GetNetworkConfiguration(); - if (config.EnableRemoteAccess) + if (IsInLocalNetwork(remoteIP)) { - // Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely. - // If left blank, all remote addresses will be allowed. - if (_remoteAddressFilter.Any() && !IsInLocalNetwork(remoteIP)) - { - // remoteAddressFilter is a whitelist or blacklist. - var matches = _remoteAddressFilter.Count(remoteNetwork => NetworkUtils.SubnetContainsAddress(remoteNetwork, remoteIP)); - if ((!config.IsRemoteIPFilterBlacklist && matches > 0) - || (config.IsRemoteIPFilterBlacklist && matches == 0)) - { - return true; - } - - return false; - } + return RemoteAccessPolicyResult.Allow; } - else if (!IsInLocalNetwork(remoteIP)) + + if (!config.EnableRemoteAccess) { // Remote not enabled. So everyone should be LAN. - return false; + return RemoteAccessPolicyResult.RejectDueToRemoteAccessDisabled; } - return true; + if (!_remoteAddressFilter.Any()) + { + // No filter on remote addresses, allow any of them. + return RemoteAccessPolicyResult.Allow; + } + + // Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely. + // If left blank, all remote addresses will be allowed. + + // remoteAddressFilter is a whitelist or blacklist. + var anyMatches = _remoteAddressFilter.Any(remoteNetwork => NetworkUtils.SubnetContainsAddress(remoteNetwork, remoteIP)); + if (config.IsRemoteIPFilterBlacklist) + { + return anyMatches + ? RemoteAccessPolicyResult.RejectDueToIPBlocklist + : RemoteAccessPolicyResult.Allow; + } + + // Allow-list + return anyMatches + ? RemoteAccessPolicyResult.Allow + : RemoteAccessPolicyResult.RejectDueToNotAllowlistedRemoteIP; } /// <inheritdoc/> diff --git a/tests/Jellyfin.Networking.Tests/NetworkParseTests.cs b/tests/Jellyfin.Networking.Tests/NetworkParseTests.cs index ef87e46a7..38208476f 100644 --- a/tests/Jellyfin.Networking.Tests/NetworkParseTests.cs +++ b/tests/Jellyfin.Networking.Tests/NetworkParseTests.cs @@ -281,11 +281,11 @@ namespace Jellyfin.Networking.Tests } [Theory] - [InlineData("185.10.10.10,200.200.200.200", "79.2.3.4", true)] - [InlineData("185.10.10.10", "185.10.10.10", false)] - [InlineData("", "100.100.100.100", false)] + [InlineData("185.10.10.10,200.200.200.200", "79.2.3.4", RemoteAccessPolicyResult.RejectDueToNotAllowlistedRemoteIP)] + [InlineData("185.10.10.10", "185.10.10.10", RemoteAccessPolicyResult.Allow)] + [InlineData("", "100.100.100.100", RemoteAccessPolicyResult.Allow)] - public void HasRemoteAccess_GivenWhitelist_AllowsOnlyIPsInWhitelist(string addresses, string remoteIP, bool denied) + public void HasRemoteAccess_GivenWhitelist_AllowsOnlyIPsInWhitelist(string addresses, string remoteIP, RemoteAccessPolicyResult expectedResult) { // Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely. // If left blank, all remote addresses will be allowed. @@ -299,15 +299,38 @@ namespace Jellyfin.Networking.Tests var startupConf = new Mock<IConfiguration>(); using var nm = new NetworkManager(NetworkParseTests.GetMockConfig(conf), startupConf.Object, new NullLogger<NetworkManager>()); - Assert.NotEqual(nm.HasRemoteAccess(IPAddress.Parse(remoteIP)), denied); + Assert.Equal(expectedResult, nm.ShouldAllowServerAccess(IPAddress.Parse(remoteIP))); } [Theory] - [InlineData("185.10.10.10", "79.2.3.4", false)] - [InlineData("185.10.10.10", "185.10.10.10", true)] - [InlineData("", "100.100.100.100", false)] + [InlineData("185.10.10.10,200.200.200.200", "79.2.3.4", RemoteAccessPolicyResult.RejectDueToRemoteAccessDisabled)] + [InlineData("185.10.10.10", "127.0.0.1", RemoteAccessPolicyResult.Allow)] + [InlineData("", "100.100.100.100", RemoteAccessPolicyResult.RejectDueToRemoteAccessDisabled)] - public void HasRemoteAccess_GivenBlacklist_BlacklistTheIPs(string addresses, string remoteIP, bool denied) + public void HasRemoteAccess_GivenRemoteAccessDisabled_IgnoresAllowlist(string addresses, string remoteIP, RemoteAccessPolicyResult expectedResult) + { + // Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely. + // If left blank, all remote addresses will be allowed. + var conf = new NetworkConfiguration() + { + EnableIPv4 = true, + EnableRemoteAccess = false, + RemoteIPFilter = addresses.Split(','), + IsRemoteIPFilterBlacklist = false + }; + + var startupConf = new Mock<IConfiguration>(); + using var nm = new NetworkManager(NetworkParseTests.GetMockConfig(conf), startupConf.Object, new NullLogger<NetworkManager>()); + + Assert.Equal(expectedResult, nm.ShouldAllowServerAccess(IPAddress.Parse(remoteIP))); + } + + [Theory] + [InlineData("185.10.10.10", "79.2.3.4", RemoteAccessPolicyResult.Allow)] + [InlineData("185.10.10.10", "185.10.10.10", RemoteAccessPolicyResult.RejectDueToIPBlocklist)] + [InlineData("", "100.100.100.100", RemoteAccessPolicyResult.Allow)] + + public void HasRemoteAccess_GivenBlacklist_BlacklistTheIPs(string addresses, string remoteIP, RemoteAccessPolicyResult expectedResult) { // Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely. // If left blank, all remote addresses will be allowed. @@ -321,7 +344,7 @@ namespace Jellyfin.Networking.Tests var startupConf = new Mock<IConfiguration>(); using var nm = new NetworkManager(NetworkParseTests.GetMockConfig(conf), startupConf.Object, new NullLogger<NetworkManager>()); - Assert.NotEqual(nm.HasRemoteAccess(IPAddress.Parse(remoteIP)), denied); + Assert.Equal(expectedResult, nm.ShouldAllowServerAccess(IPAddress.Parse(remoteIP))); } [Theory] |