security: remove hardcoded whitelist IP

Move extra whitelist IPs to CC_WEB_IP_WHITELIST env var to avoid committing public IPs.
This commit is contained in:
cc-dan
2026-03-16 12:09:17 +00:00
parent c454cfa0ad
commit aa9b3a6bb4

View File

@@ -437,14 +437,27 @@ const activeTokens = new Set();
const AUTH_FAIL_WINDOW = 5 * 60 * 1000; // 5 minutes const AUTH_FAIL_WINDOW = 5 * 60 * 1000; // 5 minutes
const AUTH_FAIL_MAX = 3; const AUTH_FAIL_MAX = 3;
const authFailures = new Map(); // ip -> [timestamp, ...] const authFailures = new Map(); // ip -> [timestamp, ...]
let bannedIPs = new Set(); let bannedIPs = new Set();
// Tailscale / loopback whitelist — never ban these IPs // Tailscale / loopback whitelist — never ban these IPs.
function isWhitelistedIP(ip) { // Extra whitelist can be provided via env var (comma/space separated):
if (!ip) return false; // CC_WEB_IP_WHITELIST="<ip1>,<ip2>"
const cleaned = ip.replace(/^::ffff:/, ''); const EXTRA_WHITELIST_IPS = new Set(
return cleaned === '127.0.0.1' || cleaned === '::1' || cleaned.startsWith('100.') || cleaned === ''; String(process.env.CC_WEB_IP_WHITELIST || '')
} .split(/[\s,]+/)
.map(s => s.trim())
.filter(Boolean)
.map(s => s.replace(/^::ffff:/, ''))
);
function isWhitelistedIP(ip) {
if (!ip) return false;
const cleaned = ip.replace(/^::ffff:/, '');
return cleaned === '127.0.0.1'
|| cleaned === '::1'
|| cleaned.startsWith('100.')
|| EXTRA_WHITELIST_IPS.has(cleaned);
}
function loadBannedIPs() { function loadBannedIPs() {
try { try {