security: always whitelist localhost

Author: Datanoise

config/config.go

@@ -2,8 +2,9 @@ package config
 
 import (
 	"encoding/json"
-	"golang.org/x/crypto/bcrypt"
 	"os"
+
+	"golang.org/x/crypto/bcrypt"
 )
 
 const (
@@ -75,6 +76,7 @@ type Config struct {
 	Transcoders    []*TranscoderConfig       `json:"transcoders"`
 	Webhooks       []*WebhookConfig          `json:"webhooks"`
 	BannedIPs      []string                  `json:"banned_ips"`
+	WhitelistedIPs []string                  `json:"whitelisted_ips"`
 
 	AdminPassword  string            `json:"admin_password"`
 	AdminUser      string            `json:"admin_user"`
@@ -219,6 +221,9 @@ func (config *Config) initMapsAndArrays() {
 	if config.BannedIPs == nil {
 		config.BannedIPs = make([]string, 0)
 	}
+	if config.WhitelistedIPs == nil {
+		config.WhitelistedIPs = make([]string, 0)
+	}
 	if config.AutoDJs == nil {
 		config.AutoDJs = make([]*AutoDJConfig, 0)
 	}

server/auth.go

@@ -62,10 +62,16 @@ func (s *Server) checkAuthLimit(ip string) error {
 		attempt.Count = 0
 	}
 
+	if s.isWhitelisted(ip) {
+		return nil
+	}
 	return nil
 }
 
 func (s *Server) recordAuthFailure(ip string) {
+	if s.isWhitelisted(ip) {
+		return
+	}
 	s.authAttemptsMu.Lock()
 	defer s.authAttemptsMu.Unlock()
 
@@ -95,6 +101,9 @@ func (s *Server) recordAuthSuccess(ip string) {
 }
 
 func (s *Server) recordScanAttempt(ip, path string) {
+	if s.isWhitelisted(ip) {
+		return
+	}
 	s.scanAttemptsMu.Lock()
 	defer s.scanAttemptsMu.Unlock()
 
@@ -104,10 +113,8 @@ func (s *Server) recordScanAttempt(ip, path string) {
 		s.scanAttempts[ip] = attempt
 	}
 
-	if !attempt.Paths[path] {
-		attempt.Paths[path] = true
-		attempt.Count++
-	}
+	attempt.Paths[path] = true
+	attempt.Count++
 
 	if attempt.Count >= 10 {
 		attempt.LockoutBy = time.Now().Add(15 * time.Minute)
@@ -167,6 +174,35 @@ func (s *Server) hasAccess(user *config.User, mount string) bool {
 	return exists
 }
 
+func (s *Server) isWhitelisted(ipStr string) bool {
+	host, _, err := net.SplitHostPort(ipStr)
+	if err != nil {
+		host = ipStr
+	}
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return false
+	}
+
+	if ip.IsLoopback() {
+		return true
+	}
+
+	for _, whitelisted := range s.Config.WhitelistedIPs {
+		if strings.Contains(whitelisted, "/") {
+			_, ipnet, err := net.ParseCIDR(whitelisted)
+			if err == nil && ipnet.Contains(ip) {
+				return true
+			}
+		}
+		if whitelisted == host {
+			return true
+		}
+	}
+	return false
+}
+
 func (s *Server) isCSRFSafe(r *http.Request) bool {
 	if r.Method != http.MethodPost {
 		return true
@@ -200,6 +236,9 @@ func (s *Server) isCSRFSafe(r *http.Request) bool {
 }
 
 func (s *Server) isBanned(ipStr string) bool {
+	if s.isWhitelisted(ipStr) {
+		return false
+	}
 	host, _, err := net.SplitHostPort(ipStr)
 	if err != nil {
 		host = ipStr

server/auth_test.go

@@ -0,0 +1,70 @@
+package server
+
+import (
+	"testing"
+
+	"github.com/DatanoiseTV/tinyice/config"
+)
+
+func TestIPWhitelistAndBanning(t *testing.T) {
+	cfg := &config.Config{
+		BannedIPs:      []string{"1.2.3.4", "10.0.0.0/24"},
+		WhitelistedIPs: []string{"1.2.3.4", "192.168.1.1"},
+	}
+	s := &Server{
+		Config:       cfg,
+		authAttempts: make(map[string]*authAttempt),
+		scanAttempts: make(map[string]*scanAttempt),
+	}
+
+	// 1.2.3.4 is both banned and whitelisted. Whitelist should win.
+	if s.isBanned("1.2.3.4:1234") {
+		t.Errorf("1.2.3.4 should NOT be banned as it is whitelisted")
+	}
+
+	// 10.0.0.5 is banned (range) and NOT whitelisted.
+	if !s.isBanned("10.0.0.5:1234") {
+		t.Errorf("10.0.0.5 should be banned")
+	}
+
+	// 192.168.1.1 is whitelisted.
+	if !s.isWhitelisted("192.168.1.1:1234") {
+		t.Errorf("192.168.1.1 should be whitelisted")
+	}
+
+	// 127.0.0.1 should be always whitelisted
+	if !s.isWhitelisted("127.0.0.1:1234") {
+		t.Errorf("127.0.0.1 should be always whitelisted")
+	}
+	if !s.isWhitelisted("[::1]:1234") {
+		t.Errorf("::1 should be always whitelisted")
+	}
+
+	// Verify scan attempt lockout behavior
+	ip := "8.8.8.8"
+	path := "/wp-admin"
+
+	// Record 9 attempts on SAME path
+	for i := 0; i < 9; i++ {
+		s.recordScanAttempt(ip, path)
+	}
+
+	if s.isBanned(ip) {
+		t.Errorf("IP %s should not be banned yet after 9 attempts", ip)
+	}
+
+	// 10th attempt should ban it
+	s.recordScanAttempt(ip, path)
+	if !s.isBanned(ip) {
+		t.Errorf("IP %s should be banned after 10 attempts on SAME path (due to fix)", ip)
+	}
+
+	// Verify whitelisted IP is NOT banned even after many attempts
+	wip := "192.168.1.1"
+	for i := 0; i < 20; i++ {
+		s.recordScanAttempt(wip, path)
+	}
+	if s.isBanned(wip) {
+		t.Errorf("Whitelisted IP %s should NOT be banned even after many attempts", wip)
+	}
+}

server/handlers_admin.go

@@ -334,6 +334,39 @@ func (s *Server) handleRemoveBannedIP(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/admin", http.StatusSeeOther)
 }
 
+func (s *Server) handleAddWhitelistedIP(w http.ResponseWriter, r *http.Request) {
+	if !s.isCSRFSafe(r) {
+		return
+	}
+	user, ok := s.checkAuth(r)
+	if ok && user.Role == config.RoleSuperAdmin {
+		ip := r.FormValue("ip")
+		if ip != "" {
+			s.Config.WhitelistedIPs = append(s.Config.WhitelistedIPs, ip)
+			s.Config.SaveConfig()
+		}
+	}
+	http.Redirect(w, r, "/admin", http.StatusSeeOther)
+}
+
+func (s *Server) handleRemoveWhitelistedIP(w http.ResponseWriter, r *http.Request) {
+	if !s.isCSRFSafe(r) {
+		return
+	}
+	user, ok := s.checkAuth(r)
+	if ok && user.Role == config.RoleSuperAdmin {
+		ip := r.FormValue("ip")
+		for i, b := range s.Config.WhitelistedIPs {
+			if b == ip {
+				s.Config.WhitelistedIPs = append(s.Config.WhitelistedIPs[:i], s.Config.WhitelistedIPs[i+1:]...)
+				s.Config.SaveConfig()
+				break
+			}
+		}
+	}
+	http.Redirect(w, r, "/admin", http.StatusSeeOther)
+}
+
 func (s *Server) handleClearAuthLockout(w http.ResponseWriter, r *http.Request) {
 	if !s.isCSRFSafe(r) {
 		http.Error(w, "Forbidden", http.StatusForbidden)

server/server.go

@@ -131,6 +131,8 @@ func (s *Server) setupRoutes() *http.ServeMux {
 	mux.HandleFunc("/admin/remove-user", s.handleRemoveUser)
 	mux.HandleFunc("/admin/add-banned-ip", s.handleAddBannedIP)
 	mux.HandleFunc("/admin/remove-banned-ip", s.handleRemoveBannedIP)
+	mux.HandleFunc("/admin/add-whitelisted-ip", s.handleAddWhitelistedIP)
+	mux.HandleFunc("/admin/remove-whitelisted-ip", s.handleRemoveWhitelistedIP)
 	mux.HandleFunc("/admin/clear-auth-lockout", s.handleClearAuthLockout)
 	mux.HandleFunc("/admin/clear-scan-lockout", s.handleClearScanLockout)
 	mux.HandleFunc("/admin/add-webhook", s.handleAddWebhook)