refactor: replace express-ipfilter with lightweight custom middleware (#3917)

This fixes security issue [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22), which is not very likely to be exploitable in MagicMirror² setups, but still should be fixed. The [express-ipfilter](https://www.npmjs.com/package/express-ipfilter) package depends on the obviously unmaintained [ip](https://github.com/indutny/node-ip) package, which has known security vulnerabilities. Since no fix is available, this commit replaces both dependencies with a custom middleware using the better maintained [ipaddr.js](https://www.npmjs.com/package/ipaddr.js) library. Changes: - Add new `js/ip_access_control.js` with lightweight middleware - Remove `express-ipfilter` dependency, add `ipaddr.js` - Update `js/server.js` to use new middleware - In addition, I have formulated the descriptions of the corresponding tests a little more clearly.
2025-10-19 18:59:55 +00:00 · 2025-10-18 19:56:55 +02:00
parent 9ff716f4ab
commit 37d1a3ae8f
6 changed files with 93 additions and 88 deletions
--- a/js/ip_access_control.js
+++ b/js/ip_access_control.js
@@ -0,0 +1,63 @@
+const ipaddr = require("ipaddr.js");
+const Log = require("logger");
+
+/**
+ * Checks if a client IP matches any entry in the whitelist
+ * @param {string} clientIp - The IP address to check
+ * @param {string[]} whitelist - Array of IP addresses or CIDR ranges
+ * @returns {boolean} True if IP is allowed
+ */
+function isAllowed (clientIp, whitelist) {
+	try {
+		const addr = ipaddr.process(clientIp);
+
+		return whitelist.some((entry) => {
+			try {
+				// CIDR notation
+				if (entry.includes("/")) {
+					const [rangeAddr, prefixLen] = ipaddr.parseCIDR(entry);
+					return addr.match(rangeAddr, prefixLen);
+				}
+
+				// Single IP address - let ipaddr.process normalize both
+				const allowedAddr = ipaddr.process(entry);
+				return addr.toString() === allowedAddr.toString();
+			} catch (err) {
+				Log.warn(`Invalid whitelist entry: ${entry}`);
+				return false;
+			}
+		});
+	} catch (err) {
+		Log.warn(`Failed to parse client IP: ${clientIp}`);
+		return false;
+	}
+}
+
+/**
+ * Creates an Express middleware for IP whitelisting
+ * @param {string[]} whitelist - Array of allowed IP addresses or CIDR ranges
+ * @returns {import("express").RequestHandler} Express middleware function
+ */
+function ipAccessControl (whitelist) {
+	// Empty whitelist means allow all
+	if (!Array.isArray(whitelist) || whitelist.length === 0) {
+		return function (req, res, next) {
+			res.header("Access-Control-Allow-Origin", "*");
+			next();
+		};
+	}
+
+	return function (req, res, next) {
+		const clientIp = req.ip || req.socket.remoteAddress;
+
+		if (isAllowed(clientIp, whitelist)) {
+			res.header("Access-Control-Allow-Origin", "*");
+			next();
+		} else {
+			Log.log(`IP ${clientIp} is not allowed to access the mirror`);
+			res.status(403).send("This device is not allowed to access your mirror. <br> Please check your config.js or config.js.sample to change this.");
+		}
+	};
+}
+
+module.exports = { ipAccessControl };