From aa9b3a6bb4103d3a4fa675efce9a6d887c2d3650 Mon Sep 17 00:00:00 2001 From: cc-dan Date: Mon, 16 Mar 2026 12:09:17 +0000 Subject: [PATCH] security: remove hardcoded whitelist IP Move extra whitelist IPs to CC_WEB_IP_WHITELIST env var to avoid committing public IPs. --- server.js | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/server.js b/server.js index 7ae6b67..52f340e 100644 --- a/server.js +++ b/server.js @@ -437,14 +437,27 @@ const activeTokens = new Set(); const AUTH_FAIL_WINDOW = 5 * 60 * 1000; // 5 minutes const AUTH_FAIL_MAX = 3; const authFailures = new Map(); // ip -> [timestamp, ...] -let bannedIPs = new Set(); + let bannedIPs = new Set(); -// Tailscale / loopback whitelist — never ban these IPs -function isWhitelistedIP(ip) { - if (!ip) return false; - const cleaned = ip.replace(/^::ffff:/, ''); - return cleaned === '127.0.0.1' || cleaned === '::1' || cleaned.startsWith('100.') || cleaned === ''; -} + // Tailscale / loopback whitelist — never ban these IPs. + // Extra whitelist can be provided via env var (comma/space separated): + // CC_WEB_IP_WHITELIST="," + const EXTRA_WHITELIST_IPS = new Set( + String(process.env.CC_WEB_IP_WHITELIST || '') + .split(/[\s,]+/) + .map(s => s.trim()) + .filter(Boolean) + .map(s => s.replace(/^::ffff:/, '')) + ); + + function isWhitelistedIP(ip) { + if (!ip) return false; + const cleaned = ip.replace(/^::ffff:/, ''); + return cleaned === '127.0.0.1' + || cleaned === '::1' + || cleaned.startsWith('100.') + || EXTRA_WHITELIST_IPS.has(cleaned); + } function loadBannedIPs() { try {