diff --git a/app/Support/Ip.php b/app/Support/Ip.php new file mode 100644 index 0000000..5b62ffe --- /dev/null +++ b/app/Support/Ip.php @@ -0,0 +1,44 @@ + 0) { + $subnetBytes = substr($subnet, 0, $maskBytes); + $ipBytes = substr($ip, 0, $maskBytes); + + if ($subnetBytes !== $ipBytes) { + return false; + } + } + + if ($maskBits > 0) { + $maskValue = chr(pow(2, $maskBits) - 1); + $subnetByte = ord($subnet[$maskBytes]); + $ipByte = ord($ip[$maskBytes]); + + if (($subnetByte & $maskValue) !== ($ipByte & $maskValue)) { + return false; + } + } + + return true; + } + + return $ip === $network; + } +} diff --git a/routes/web.php b/routes/web.php index 3efd0d5..1a960cb 100644 --- a/routes/web.php +++ b/routes/web.php @@ -6,6 +6,7 @@ use App\Http\Controllers\EnvironmentController; use App\Http\Controllers\OrganisationController; use App\Http\Controllers\ServerController; use App\Models\Server; +use App\Support\Ip; use Illuminate\Http\Request; use Illuminate\Support\Facades\Route; use Inertia\Inertia; @@ -67,9 +68,16 @@ Route::post('/provision-callback', function (Request $request) { $server = Server::find($validated['server_id']); - + // Check against ipv4 and ipv6 + $isValidIp = false; + if ($server->ipv4 && Ip::inNetwork($request->ip(), $server->ipv4)) { + $isValidIp = true; + } + if ($server->ipv6 && Ip::inNetwork($request->ip(), $server->ipv6)) { + $isValidIp = true; + } - if ($request->ip() !== $server->ipv4 && inet_pton($request->ip()) !== inet_pton($server->ipv6)) { + if (! $isValidIp) { logger('someone tried to callback from an invalid IP'); logger(' server ip: ' . $server->ipv4); logger(' server ipv6: ' . $server->ipv6);