From 4e47681e7b3bb92fad73660832eb91a62e148f87 Mon Sep 17 00:00:00 2001
From: Matthew Draper <matthew@trebex.net>
Date: Sun, 12 Apr 2015 08:29:28 +0930
Subject: [PATCH] Always apply Web Console's stricter whitelist to remote IPs

---
 lib/web_console/request.rb       | 21 ++++++++++++++++++++-
 test/web_console/request_test.rb | 24 ++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/lib/web_console/request.rb b/lib/web_console/request.rb
index f48aec6..d7a8a72 100644
--- a/lib/web_console/request.rb
+++ b/lib/web_console/request.rb
@@ -15,7 +15,12 @@ module WebConsole
     # For a request to hit Web Console features, it needs to come from a white
     # listed IP.
     def from_whitelited_ip?
-      whitelisted_ips.include?(remote_ip)
+      whitelisted_ips.include?(strict_remote_ip)
+    end
+
+    # Determines the remote IP using our much stricter whitelist.
+    def strict_remote_ip
+      GetSecureIp.new(env, whitelisted_ips).to_s
     end
 
     # Returns whether the request is from an acceptable content type.
@@ -26,5 +31,19 @@ module WebConsole
     def acceptable_content_type?
       content_type.blank? || content_type.in?(acceptable_content_types)
     end
+
+    class GetSecureIp < ActionDispatch::RemoteIp::GetIp
+      def initialize(env, proxies)
+        @env      = env
+        @check_ip = true
+        @proxies  = proxies
+      end
+
+      def filter_proxies(ips)
+        ips.reject do |ip|
+          @proxies.include?(ip)
+        end
+      end
+    end
   end
 end
diff --git a/test/web_console/request_test.rb b/test/web_console/request_test.rb
index 93b466b..3fd953a 100644
--- a/test/web_console/request_test.rb
+++ b/test/web_console/request_test.rb
@@ -18,6 +18,30 @@ module WebConsole
       assert req.from_whitelited_ip?
     end
 
+    test '#from_whitelisted_ip? is truthy for whitelisted IPs via whitelisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0')
+
+      assert req.from_whitelited_ip?
+    end
+
+    test '#from_whitelisted_ip? is falsy for blacklisted IPs via whitelisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '0.0.0.0')
+
+      assert_not req.from_whitelited_ip?
+    end
+
+    test '#from_whitelisted_ip? is falsy for lying blacklisted IPs via whitelisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '127.0.0.1', 'HTTP_X_FORWARDED_FOR' => '10.0.0.0, 127.0.0.0')
+
+      assert_not req.from_whitelited_ip?
+    end
+
+    test '#from_whitelisted_ip? is falsy for whitelisted IPs via blacklisted proxies' do
+      req = request('http://example.com', 'REMOTE_ADDR' => '10.0.0.0', 'HTTP_X_FORWARDED_FOR' => '127.0.0.0')
+
+      assert_not req.from_whitelited_ip?
+    end
+
     test '#acceptable_content_type? is truthy for explicit HTML content type' do
       html = request('http://example.com', 'CONTENT_TYPE' => 'text/html')
       xhtml = request('http://example.com', 'CONTENT_TYPE' => 'application/xhtml+xml')
-- 
2.3.2 (Apple Git-55)