diff --git a/src/network.js b/src/network.js index 8add5b98d..0e507833d 100644 --- a/src/network.js +++ b/src/network.js @@ -21,7 +21,7 @@ function getBlocklist(callback) { assert.strictEqual(typeof callback, 'function'); const data = safe.fs.readFileSync(paths.FIREWALL_BLOCKLIST_FILE, 'utf8'); - callback(null, data); + callback(null, data || ''); } function setBlocklist(blocklist, auditSource, callback) { @@ -39,8 +39,8 @@ function setBlocklist(blocklist, auditSource, callback) { if (rangeOrIP.indexOf('/') === -1) { if (auditSource.ip === rangeOrIP) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`)); } else { - const parsedRange = ipaddr.parseCIDR(rangeOrIP); - if (parsedIp.match(parsedRange)) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`)); + const parsedRange = ipaddr.parseCIDR(rangeOrIP); // returns [addr, range] + if (parsedRange[0].kind() === parsedIp.kind() && parsedIp.match(parsedRange)) return callback(new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} includes client IP. Cannot block yourself`)); } } @@ -51,6 +51,6 @@ function setBlocklist(blocklist, auditSource, callback) { shell.sudo('setBlocklist', [ SET_BLOCKLIST_CMD ], {}, function (error) { if (error) return callback(new BoxError(BoxError.IPTABLES_ERROR, `Error setting blocklist: ${error.message}`)); - callback(); + callback(null); }); } diff --git a/src/test/network-test.js b/src/test/network-test.js new file mode 100644 index 000000000..89682659c --- /dev/null +++ b/src/test/network-test.js @@ -0,0 +1,196 @@ +/* global it:false */ +/* global describe:false */ +/* global before:false */ + +'use strict'; + +var network = require('../network.js'), + fs = require('fs'), + path = require('path'), + paths = require('../paths.js'), + BoxError = require('../boxerror.js'), + expect = require('expect.js'); + +describe('Network', function () { + describe('Blocklist', function () { + + before(function () { + fs.mkdirSync(path.dirname(paths.FIREWALL_BLOCKLIST_FILE)); + }); + + it('can get empty blocklist', function (done) { + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal(''); + + done(); + }); + }); + + it('can set empty blocklist', function (done) { + network.setBlocklist('', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('\n'); + + done(); + }); + }); + }); + + it('can set single IPv4 in blocklist', function (done) { + network.setBlocklist('192.168.178.1', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('192.168.178.1\n'); + + done(); + }); + }); + }); + + it('can set single IPv6 in blocklist', function (done) { + network.setBlocklist('2a02:8106:2f:bb00:7afc:5703:ee71:3ef8', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('2a02:8106:2f:bb00:7afc:5703:ee71:3ef8\n'); + + done(); + }); + }); + }); + + it('can set mixed IPs with comment in blocklist', function (done) { + network.setBlocklist('2a02:8106:2f:bb00:7afc:5703:ee71:3ef8\n# some comment\n192.168.178.1', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('2a02:8106:2f:bb00:7afc:5703:ee71:3ef8\n# some comment\n192.168.178.1\n'); + + done(); + }); + }); + }); + + it('can set single IPv4 range in blocklist', function (done) { + network.setBlocklist('192.168.178.1/24', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('192.168.178.1/24\n'); + + done(); + }); + }); + }); + + it('can set single IPv6 range in blocklist', function (done) { + network.setBlocklist('2001:db8::', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('2001:db8::\n'); + + done(); + }); + }); + }); + + it('cannot set IPv4 in blocklist if source is same', function (done) { + network.setBlocklist('127.0.0.1', { ip: '127.0.0.1' }, function (error) { + expect(error).to.be.a(BoxError); + expect(error.reason).to.equal(BoxError.BAD_FIELD); + + done(); + }); + }); + + it('cannot set IPv6 in blocklist if source is same', function (done) { + network.setBlocklist('2001:db8:1234::1', { ip: '2001:db8:1234::1' }, function (error) { + expect(error).to.be.a(BoxError); + expect(error.reason).to.equal(BoxError.BAD_FIELD); + + done(); + }); + }); + + it('cannot set IPv4 range in blocklist if source is same', function (done) { + network.setBlocklist('127.0.0.1/32', { ip: '127.0.0.1' }, function (error) { + expect(error).to.be.a(BoxError); + expect(error.reason).to.equal(BoxError.BAD_FIELD); + + done(); + }); + }); + + it('cannot set IPv6 range in blocklist if source is same', function (done) { + network.setBlocklist('2001:db8:1234:::', { ip: '2001:db8:1234::1' }, function (error) { + expect(error).to.be.a(BoxError); + expect(error.reason).to.equal(BoxError.BAD_FIELD); + + done(); + }); + }); + + it('can set IPv4 in blocklist if source is IPv6', function (done) { + network.setBlocklist('192.168.178.1', { ip: '2001:db8:1234::1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('192.168.178.1\n'); + + done(); + }); + }); + }); + + it('can set IPv6 in blocklist if source is IPv4', function (done) { + network.setBlocklist('2001:db8:1234::1', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('2001:db8:1234::1\n'); + + done(); + }); + }); + }); + + it('can set IPv4 range in blocklist if source is IPv6', function (done) { + network.setBlocklist('192.168.178.1/32', { ip: '2001:db8:1234::1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('192.168.178.1/32\n'); + + done(); + }); + }); + }); + + it('can set IPv6 range in blocklist if source is IPv4', function (done) { + network.setBlocklist('2001:db8:1234::', { ip: '127.0.0.1' }, function (error) { + expect(error).to.equal(null); + + network.getBlocklist(function (error, result) { + expect(error).to.equal(null); + expect(result).to.equal('2001:db8:1234::\n'); + + done(); + }); + }); + }); + }); +});