admin_hg/cx-nexredirect
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Fix admin UI inaccessible via private/local IP

Browse source 
isAdminHost() only matched localhost and the configured server_ip
(set to the public IP by the install script). Installations accessed
via RFC 1918 addresses (10.x, 192.168.x, 172.16-31.x) fell through
to the redirect-domain handler and returned 'Domain nicht konfiguriert'.

Extract isPrivateOrLoopbackIp() to recognize all private and loopback
addresses as admin hosts. No security risk: redirect domains are never
private IPs.
This commit is contained in:
Hendrik 2026-05-15 16:48:07 +02:00
parent 44bb7810a7
commit daa13c808b
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
lib/redirect-resolver.ts
View file

@ -50,11 +50,20 @@ export function resolveHost(host: string): ResolvedRedirect | null {
return cache.get(host.toLowerCase()) ?? null;
}
function isPrivateOrLoopbackIp(h: string): boolean {
if (h === "localhost" || h === "127.0.0.1" || h === "::1") return true;
// RFC 1918 — never used as redirect domains
if (/^10\./.test(h)) return true;
if (/^192\.168\./.test(h)) return true;
if (/^172\.(1[6-9]|2[0-9]|3[01])\./.test(h)) return true;
return false;
}
export function isAdminHost(host: string): boolean {
const baseDomain = getSetting("base_domain");
const serverIp = getSetting("server_ip");
const h = host.toLowerCase().split(":")[0];
if (h === "localhost" || h === "127.0.0.1" || h === "::1") return true;
if (isPrivateOrLoopbackIp(h)) return true;
if (baseDomain && h === baseDomain.toLowerCase()) return true;
if (serverIp && h === serverIp) return true;
return false;