Support IPv6 CIDR in recursive whitelist - Fix #2

- Add IPv6 loopback in default config
- Switch Apache Commons Net SubnetUtils to CIDRUtils
- Add some debug statements

application.example.yaml

@@ -36,19 +36,22 @@ lookup:
   #
   # This is similar to DNS lookup and recursion and is therefore prone to the same vulnerabilities.
   # By default, only non-public hosts are allowed to perform recursive lookup.
-  # This will also prevent basic endless loops where:
+  #
-  # host A ask host B, which in turn is configured to ask host B, etc.
+  # This will also prevent very basic endless loops where host A ask host B, which in turn is configured to ask host A,
+  # which would then ask host B again, etc.
   recursive:
 
     # Enable recursive lookup globally
     enabled: true
 
-    # Whitelist of CIDR that will trigger a recursive lookup
+    # Whitelist of CIDR that will trigger a recursive lookup.
+    # The default list includes all private IPv4 address and the IPv6 loopback.
     allowedCidr:
       - '127.0.0.0/8'
       - '10.0.0.0/8'
       - '172.16.0.0/12'
       - '192.168.0.0/16'
+      - '::1/128'
 
 
 

build.gradle

@@ -54,9 +54,6 @@ dependencies {
     // DNS lookups
     compile 'dnsjava:dnsjava:2.1.8'
 
-    // Network utilities for recursive host check
-    compile 'commons-net:commons-net:3.5'
-
     testCompile 'junit:junit:4.12'
 }
 

src/main/groovy/io/kamax/mxisd/lookup/strategy/RecursivePriorityLookupStrategy.groovy

@@ -20,11 +20,11 @@
 
 package io.kamax.mxisd.lookup.strategy
 
+import edazdarevic.commons.net.CIDRUtils
 import io.kamax.mxisd.api.ThreePidType
 import io.kamax.mxisd.config.RecursiveLookupConfig
 import io.kamax.mxisd.lookup.LookupRequest
 import io.kamax.mxisd.lookup.provider.ThreePidProvider
-import org.apache.commons.net.util.SubnetUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.InitializingBean
@@ -42,7 +42,7 @@ class RecursivePriorityLookupStrategy implements LookupStrategy, InitializingBea
     @Autowired
     private List<ThreePidProvider> providers
 
-    private List<SubnetUtils.SubnetInfo> allowedCidr = new ArrayList<>()
+    private List<CIDRUtils> allowedCidr = new ArrayList<>()
 
     @Override
     void afterPropertiesSet() throws Exception {
@@ -60,7 +60,7 @@ class RecursivePriorityLookupStrategy implements LookupStrategy, InitializingBea
         log.info("Recursive lookup enabled: {}", recursiveCfg.isEnabled())
         for (String cidr : recursiveCfg.getAllowedCidr()) {
             log.info("{} is allowed for recursion", cidr)
-            allowedCidr.add(new SubnetUtils(cidr).getInfo())
+            allowedCidr.add(new CIDRUtils(cidr))
         }
     }
 
@@ -72,10 +72,14 @@ class RecursivePriorityLookupStrategy implements LookupStrategy, InitializingBea
 
         boolean canRecurse = false
         if (recursiveCfg.isEnabled()) {
-            for (SubnetUtils.SubnetInfo cidr : allowedCidr) {
+            log.debug("Checking {} CIDRs for recursion", allowedCidr.size())
+            for (CIDRUtils cidr : allowedCidr) {
                 if (cidr.isInRange(request.getRequester())) {
+                    log.debug("{} is in range {}, allowing recursion", request.getRequester(), cidr.getNetworkAddress())
                     canRecurse = true
                     break
+                } else {
+                    log.debug("{} is not in range {}", request.getRequester(), cidr.getNetworkAddress())
                 }
             }
         }

src/main/java/edazdarevic/commons/net/CIDRUtils.java

@@ -0,0 +1,142 @@
+/*
+* The MIT License
+*
+* Copyright (c) 2013 Edin Dazdarevic (edin.dazdarevic@gmail.com)
+
+* Permission is hereby granted, free of charge, to any person obtaining a copy
+* of this software and associated documentation files (the "Software"), to deal
+* in the Software without restriction, including without limitation the rights
+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+* copies of the Software, and to permit persons to whom the Software is
+* furnished to do so, subject to the following conditions:
+
+* The above copyright notice and this permission notice shall be included in
+* all copies or substantial portions of the Software.
+
+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+* THE SOFTWARE.
+*
+* */
+
+package edazdarevic.commons.net;
+
+import java.math.BigInteger;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * A class that enables to get an IP range from CIDR specification. It supports
+ * both IPv4 and IPv6.
+ */
+public class CIDRUtils {
+    private final String cidr;
+
+    private InetAddress inetAddress;
+    private InetAddress startAddress;
+    private InetAddress endAddress;
+    private final int prefixLength;
+
+
+    public CIDRUtils(String cidr) throws UnknownHostException {
+
+        this.cidr = cidr;
+
+        /* split CIDR to address and prefix part */
+        if (this.cidr.contains("/")) {
+            int index = this.cidr.indexOf("/");
+            String addressPart = this.cidr.substring(0, index);
+            String networkPart = this.cidr.substring(index + 1);
+
+            inetAddress = InetAddress.getByName(addressPart);
+            prefixLength = Integer.parseInt(networkPart);
+
+            calculate();
+        } else {
+            throw new IllegalArgumentException("not an valid CIDR format!");
+        }
+    }
+
+
+    private void calculate() throws UnknownHostException {
+
+        ByteBuffer maskBuffer;
+        int targetSize;
+        if (inetAddress.getAddress().length == 4) {
+            maskBuffer =
+                    ByteBuffer
+                            .allocate(4)
+                            .putInt(-1);
+            targetSize = 4;
+        } else {
+            maskBuffer = ByteBuffer.allocate(16)
+                    .putLong(-1L)
+                    .putLong(-1L);
+            targetSize = 16;
+        }
+
+        BigInteger mask = (new BigInteger(1, maskBuffer.array())).not().shiftRight(prefixLength);
+
+        ByteBuffer buffer = ByteBuffer.wrap(inetAddress.getAddress());
+        BigInteger ipVal = new BigInteger(1, buffer.array());
+
+        BigInteger startIp = ipVal.and(mask);
+        BigInteger endIp = startIp.add(mask.not());
+
+        byte[] startIpArr = toBytes(startIp.toByteArray(), targetSize);
+        byte[] endIpArr = toBytes(endIp.toByteArray(), targetSize);
+
+        this.startAddress = InetAddress.getByAddress(startIpArr);
+        this.endAddress = InetAddress.getByAddress(endIpArr);
+
+    }
+
+    private byte[] toBytes(byte[] array, int targetSize) {
+        int counter = 0;
+        List<Byte> newArr = new ArrayList<Byte>();
+        while (counter < targetSize && (array.length - 1 - counter >= 0)) {
+            newArr.add(0, array[array.length - 1 - counter]);
+            counter++;
+        }
+
+        int size = newArr.size();
+        for (int i = 0; i < (targetSize - size); i++) {
+
+            newArr.add(0, (byte) 0);
+        }
+
+        byte[] ret = new byte[newArr.size()];
+        for (int i = 0; i < newArr.size(); i++) {
+            ret[i] = newArr.get(i);
+        }
+        return ret;
+    }
+
+    public String getNetworkAddress() {
+
+        return this.startAddress.getHostAddress();
+    }
+
+    public String getBroadcastAddress() {
+        return this.endAddress.getHostAddress();
+    }
+
+    public boolean isInRange(String ipAddress) throws UnknownHostException {
+        InetAddress address = InetAddress.getByName(ipAddress);
+        BigInteger start = new BigInteger(1, this.startAddress.getAddress());
+        BigInteger end = new BigInteger(1, this.endAddress.getAddress());
+        BigInteger target = new BigInteger(1, address.getAddress());
+
+        int st = start.compareTo(target);
+        int te = target.compareTo(end);
+
+        return (st == -1 || st == 0) && (te == -1 || te == 0);
+    }
+}