Implement IP address validation in server.js

gvbvdxxalt2 · web-flow · commit c7167c6d52bd · 2026-03-04T14:05:23.000-05:00
diff --git a/server-src/server.js b/server-src/server.js
@@ -83,11 +83,47 @@ function closeUserFromUserSocket(username) {
     console.log(e);
   }
 }
+
+function isPrivateIp(ip) {
+  if (!ip) return false;
+
+  // Handle IPv6 localhost
+  if (ip === '::1' || ip === 'localhost') return true;
+
+  // Split the IP into its 4 parts (octets)
+  const parts = ip.split('.');
+  if (parts.length !== 4) return false; // Not a standard IPv4 address
+
+  const first = parseInt(parts[0], 10);
+  const second = parseInt(parts[1], 10);
+
+  // 127.x.x.x (Localhost)
+  if (first === 127) return true;
+
+  // 10.x.x.x (Private network)
+  if (first === 10) return true;
+
+  // 192.168.x.x (Private network)
+  if (first === 192 && second === 168) return true;
+
+  // 172.16.x.x through 172.31.x.x (Private network)
+  if (first === 172 && second >= 16 && second <= 31) return true;
+
+  return false;
+}
 function getIPFromRequest(req) {
-  if (req.headers["x-forwarded-for"]) {
-    var IPString = "" + req.headers["x-forwarded-for"];
+  var ipListHeader = req.headers['x-forwarded-for'];
+  if (ipListHeader) {
+    var IPString = "" + ipListHeader;
     var IPs = IPString.split(",").map((ip) => ip.trim());
-    return IPs[0];
+    var i = IPs.length-1;
+	while (i > 0) {
+		var curIp = IPs[i];
+		if (!isPrivateIp(curIp)) {
+			return curIp;
+		}
+		i -= 1;
+	}
   }
   return req.socket.remoteAddress;
 }
