NeoAnd/evolution-api
1
0
Fork 0
mirror of https://github.com/EvolutionAPI/evolution-api.git synced 2025-12-09 01:49:37 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix: Using all IPs including x-forwarded-for when checking if the requester has access to metrics

Browse Source
This commit is contained in:
Victor Eduardo 2025-11-19 16:20:54 -03:00
parent 06543e89e5
commit e6a9ed92ce
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/api/routes/index.router.ts
View File

@ -48,9 +48,14 @@ const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
const metricsIPWhitelist = (req: Request, res: Response, next: NextFunction) => {
const metricsConfig = configService.get('METRICS');
const allowedIPs = metricsConfig.ALLOWED_IPS?.split(',').map((ip) => ip.trim()) || ['127.0.0.1'];
const clientIP = req.ip || req.connection.remoteAddress || req.socket.remoteAddress;
const clientIPs = [
req.ip,
req.connection.remoteAddress,
req.socket.remoteAddress,
req.headers['x-forwarded-for'],
].filter((ip) => ip !== undefined);
if (!allowedIPs.includes(clientIP)) {
if (allowedIPs.filter((ip) => clientIPs.includes(ip)) === 0) {
return res.status(403).send('Forbidden: IP not allowed');
}