diff --git a/Dockerfile b/Dockerfile index ad08bd37c..f2f8e9060 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,9 +31,34 @@ RUN pnpm ui:build ENV NODE_ENV=production -# Security hardening: Run as non-root user -# The node:22-bookworm image includes a 'node' user (uid 1000) -# This reduces the attack surface by preventing container escape via root privileges -USER node +# Install gosu for dropping privileges safely +RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/* +# Entrypoint script: fix /data permissions, ensure cloud-ready config, then drop to node user +RUN printf '#!/bin/sh\n\ +if [ -d /data ]; then\n\ + chown -R node:node /data 2>/dev/null || true\n\ +fi\n\ +# Ensure cloud-ready config exists for Railway/cloud deployments\n\ +if [ -n "$CLAWDBOT_STATE_DIR" ]; then\n\ + mkdir -p "$CLAWDBOT_STATE_DIR"\n\ + CONFIG_FILE="$CLAWDBOT_STATE_DIR/clawdbot.json"\n\ + # If no config or config lacks trustedProxies or allowInsecureAuth, create it\n\ + if [ ! -f "$CONFIG_FILE" ] || ! grep -q "trustedProxies" "$CONFIG_FILE" 2>/dev/null || ! grep -q "allowInsecureAuth" "$CONFIG_FILE" 2>/dev/null; then\n\ + cat > "$CONFIG_FILE" << EOF\n\ +{\n\ + "gateway": {\n\ + "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"],\n\ + "controlUi": {\n\ + "allowInsecureAuth": true\n\ + }\n\ + }\n\ +}\n\ +EOF\n\ + fi\n\ + chown node:node "$CONFIG_FILE" 2>/dev/null || true\n\ +fi\n\ +exec gosu node "$@"\n' > /entrypoint.sh && chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] CMD ["node", "dist/index.js"] diff --git a/src/gateway/net.ts b/src/gateway/net.ts index 6702e0e8b..3814e730d 100644 --- a/src/gateway/net.ts +++ b/src/gateway/net.ts @@ -48,10 +48,45 @@ function parseRealIp(realIp?: string): string | undefined { return normalizeIp(stripOptionalPort(raw)); } +/** + * Check if an IPv4 address falls within a CIDR range. + * @param ip - The IP address to check (e.g., "100.64.0.3") + * @param cidr - The CIDR range (e.g., "100.64.0.0/10") + * @returns True if the IP is within the CIDR range + */ +function isIpInCidr(ip: string, cidr: string): boolean { + const [range, bitsStr] = cidr.split("/"); + if (!range || !bitsStr) return false; + + const bits = parseInt(bitsStr, 10); + if (Number.isNaN(bits) || bits < 0 || bits > 32) return false; + + const ipParts = ip.split(".").map((p) => parseInt(p, 10)); + const rangeParts = range.split(".").map((p) => parseInt(p, 10)); + + if (ipParts.length !== 4 || rangeParts.length !== 4) return false; + if (ipParts.some((p) => Number.isNaN(p)) || rangeParts.some((p) => Number.isNaN(p))) return false; + + const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3]; + const rangeNum = (rangeParts[0] << 24) | (rangeParts[1] << 16) | (rangeParts[2] << 8) | rangeParts[3]; + + // Create mask: bits=10 means top 10 bits must match + const mask = bits === 0 ? 0 : (~0 << (32 - bits)) >>> 0; + + return ((ipNum >>> 0) & mask) === ((rangeNum >>> 0) & mask); +} + export function isTrustedProxyAddress(ip: string | undefined, trustedProxies?: string[]): boolean { const normalized = normalizeIp(ip); if (!normalized || !trustedProxies || trustedProxies.length === 0) return false; - return trustedProxies.some((proxy) => normalizeIp(proxy) === normalized); + return trustedProxies.some((proxy) => { + // Check if it's a CIDR range + if (proxy.includes("/")) { + return isIpInCidr(normalized, proxy); + } + // Exact match + return normalizeIp(proxy) === normalized; + }); } export function resolveGatewayClientIp(params: {