admin/jellyfin
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Fix missing logging of connections by disallowed IPs (#14011)

Browse Source
This commit is contained in:
jade
2025-06-03 14:22:30 -07:00
committed by GitHub
parent 08b2ffeaab
commit 44b5de1568
9 changed files with 109 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
Jellyfin.Api/Middleware/IpBasedAccessValidationMiddleware.cs
View File

@@ -1,8 +1,10 @@
using System.Net;
using System.Threading.Tasks;
using System.Web;
using MediaBrowser.Common.Extensions;
using MediaBrowser.Common.Net;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
namespace Jellyfin.Api.Middleware;
@@ -12,14 +14,17 @@ namespace Jellyfin.Api.Middleware;
public class IPBasedAccessValidationMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger<IPBasedAccessValidationMiddleware> _logger;
/// <summary>
/// Initializes a new instance of the <see cref="IPBasedAccessValidationMiddleware"/> class.
/// </summary>
/// <param name="next">The next delegate in the pipeline.</param>
public IPBasedAccessValidationMiddleware(RequestDelegate next)
/// <param name="logger">The logger to log to.</param>
public IPBasedAccessValidationMiddleware(RequestDelegate next, ILogger<IPBasedAccessValidationMiddleware> logger)
{
_next = next;
_logger = logger;
}
/// <summary>
@@ -32,16 +37,23 @@ public class IPBasedAccessValidationMiddleware
{
if (httpContext.IsLocal())
{
// Running locally.
// Accessing from the same machine as the server.
await _next(httpContext).ConfigureAwait(false);
return;
}
var remoteIP = httpContext.Connection.RemoteIpAddress ?? IPAddress.Loopback;
var remoteIP = httpContext.GetNormalizedRemoteIP();
if (!networkManager.HasRemoteAccess(remoteIP))
var result = networkManager.ShouldAllowServerAccess(remoteIP);
if (result != RemoteAccessPolicyResult.Allow)
{
// No access from network, respond with 503 instead of 200.
_logger.LogWarning(
"Blocking request to {Path} by {RemoteIP} due to IP filtering rule, reason: {Reason}",
// url-encode to block log injection
HttpUtility.UrlEncode(httpContext.Request.Path),
remoteIP,
result);
httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable;
return;
}

51
Jellyfin.Api/Middleware/LanFilteringMiddleware.cs
View File

@@ -1,51 +0,0 @@
using System.Net;
using System.Threading.Tasks;
using MediaBrowser.Common.Extensions;
using MediaBrowser.Common.Net;
using MediaBrowser.Controller.Configuration;
using Microsoft.AspNetCore.Http;
namespace Jellyfin.Api.Middleware;
/// <summary>
/// Validates the LAN host IP based on application configuration.
/// </summary>
public class LanFilteringMiddleware
{
private readonly RequestDelegate _next;
/// <summary>
/// Initializes a new instance of the <see cref="LanFilteringMiddleware"/> class.
/// </summary>
/// <param name="next">The next delegate in the pipeline.</param>
public LanFilteringMiddleware(RequestDelegate next)
{
_next = next;
}
/// <summary>
/// Executes the middleware action.
/// </summary>
/// <param name="httpContext">The current HTTP context.</param>
/// <param name="networkManager">The network manager.</param>
/// <param name="serverConfigurationManager">The server configuration manager.</param>
/// <returns>The async task.</returns>
public async Task Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
{
if (serverConfigurationManager.GetNetworkConfiguration().EnableRemoteAccess)
{
await _next(httpContext).ConfigureAwait(false);
return;
}
var host = httpContext.GetNormalizedRemoteIP();
if (!networkManager.IsInLocalNetwork(host))
{
// No access from network, respond with 503 instead of 200.
httpContext.Response.StatusCode = StatusCodes.Status503ServiceUnavailable;
return;
}
await _next(httpContext).ConfigureAwait(false);
}
}