NeoAnd/evolution-api
1
0
Fork 0
mirror of https://github.com/EvolutionAPI/evolution-api.git synced 2025-12-09 01:49:37 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #2241 from victoreduardo/evo/main
Some checks failed
Check Code Quality / check-lint-and-build (push) Has been cancelled
Details
Build Docker image / Build and Deploy (push) Has been cancelled
Details
Security Scan / CodeQL Analysis (javascript) (push) Has been cancelled
Details
Security Scan / Dependency Review (push) Has been cancelled
Details

Browse Source 
Fix: Using all IPs including x-forwarded-for when checking if the requester has access to metrics
This commit is contained in:
Davidson Gomes 2025-11-19 17:47:10 -03:00 committed by GitHub
commit 689f347457
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/api/routes/index.router.ts
View File

@ -48,9 +48,14 @@ const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
const metricsIPWhitelist = (req: Request, res: Response, next: NextFunction) => {
const metricsConfig = configService.get('METRICS');
const allowedIPs = metricsConfig.ALLOWED_IPS?.split(',').map((ip) => ip.trim()) || ['127.0.0.1'];
const clientIP = req.ip || req.connection.remoteAddress || req.socket.remoteAddress;
const clientIPs = [
req.ip,
req.connection.remoteAddress,
req.socket.remoteAddress,
req.headers['x-forwarded-for'],
].filter((ip) => ip !== undefined);
if (!allowedIPs.includes(clientIP)) {
if (allowedIPs.filter((ip) => clientIPs.includes(ip)) === 0) {
return res.status(403).send('Forbidden: IP not allowed');
}