RubyGems - logstash-filter-real_ip - Versions diffs - 0.1.0 → 0.1.1 - Mend

logstash-filter-real_ip 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -1
data/README.md +94 -64
data/lib/logstash/filters/real_ip.rb +38 -8
data/logstash-filter-real_ip.gemspec +2 -2
data/spec/filters/real_ip_spec.rb +12 -0
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 88e7483965ddd5c17fa615a7d996119471c37c3fe962c960e4100fec3072af04
-  data.tar.gz: d0eea1f5ecdf8d83188df244d9c01ca2f521affee30c56c3e6d694085ac1683c
+  metadata.gz: 03a6d392653c84b6e9979c4242b33addc2bef2b9edbc06a02ab12bf4b0e817eb
+  data.tar.gz: b86af8b9cb8beeb0018548058bda54666cc96a8c9a79dfa808e537ea24910ef9
 SHA512:
-  metadata.gz: b7fbcf884b25d0aaf0801ab27ec7288d5864c007947f2834a6c3026178cc72a333c2d0da4fc49b5fed8d43e21b189aed2c9ab5be3175e33cfdc4eba02393bdb3
-  data.tar.gz: f2d85853339251efb7eb5a52eb1fde05d0d3ee0c5164e2384f29e5484e970903fbfc400de50ea53d5de140cda5c15baad2136639f57fdd159b8c6709a323748c
+  metadata.gz: 80d539a35dc6a9ae7957e2051e75a3440aed0a885ea52bc565d757d5166a6623f17e54a933d4c1440922d89a44d1b0d19ab98b4e9613d298a8a71ba979e0ba9c
+  data.tar.gz: c8a5626f432719c803a2abd375f31ae4d23390702e124cd9ed90233dd9bbd32c9f2ab77569d5ba7155c18e16999123783c120360d6fd88686a33eed975677d73

data/CHANGELOG.md CHANGED Viewed

@@ -1,2 +1,6 @@
+## 0.1.1
+ - fix: Fix edge case where x-forwarded-for is empty or only contains trusted IPs
 ## 0.1.0
-  - Plugin created with the logstash plugin generator
+ - Plugin created with the logstash plugin generator

data/README.md CHANGED Viewed

@@ -1,86 +1,116 @@
-# Logstash Plugin
+Evaluate an HTTP request's client address like Apache httpd's mod_remoteip or
+Nginx's realip module.
-This is a plugin for [Logstash](https://github.com/elastic/logstash).
-It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
-## Documentation
-Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
-- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
-- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
-## Need Help?
-Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
-## Developing
+For an event like this...
+```ruby
+{
+  "remote_addr" => "10.1.1.1"
+  "x_fwd_for" => ["1.2.3.4", "10.2.2.2"]
+}
+```
-### 1. Plugin Developement and Testing
+...an example configuration looks like so:
+```ruby
+filter {
+  real_ip {
+    remote_address_field => "remote_addr"
+    x_forwarded_for_field => "x_fwd_for"
+    trusted_networks => [
+      "10.0.0.0/8",
+      "192.168.0.0/16"
+    ]
+  }
+}
+```
+This will evaluate the real client IP, writing it to a new field "realip".
+For above example event that would be "1.2.3.4"
-#### Code
-- To get started, you'll need JRuby with the Bundler gem installed.
+Often web servers don't provide the value of the X-Forwarded-For header as
+an array. For ease of use the real_ip plugin provides capabilities to parse
+such a comma-separated string. To enable this feature, use the
+`x_forwarded_for_is_string` option.
-- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+For an event like this...
+```ruby
+{
+  "remote_addr" => "10.1.1.1"
+  "x_fwd_for" => "1.2.3.4, 10.2.2.2"
+}
+```
-- Install dependencies
-```sh
-bundle install
+...an example configuration looks like so:
+```ruby
+filter {
+  real_ip {
+    remote_address_field => "remote_addr"
+    x_forwarded_for_field => "x_fwd_for"
+    x_forwarded_for_is_string => true
+    trusted_networks => [
+      "10.0.0.0/8",
+      "192.168.0.0/16"
+    ]
+  }
+}
 ```
-#### Test
+In case the plugin fails to evaluate the real client IP, it will add a tag to
+the event, by default `_real_ip_lookup_failure`.
+The plugin will fail if one of below it true:
+* The `remote_address` field is absent.
+* The `remote_address` field doesn't contain an IP address.
+* The filter is configured using `x_forwarded_for_is_string = true`, but the
+`x_forwarded_for` field isn't a string.
+* The `x_forwarded_for` field contains anything other that IP addresses.
-- Update your dependencies
+#### Evaluation behavior
+The plugin checks whether the `remote_address_field` is trusted, if not, it
+will be written to `target_field`, and evaluation ends.
-```sh
-bundle install
-```
+Otherwise each IP in the `x_forwarded_for_field` is checked, from right to
+left until an untrusted IP is encountered, which will be written to
+`target_field` and evaluation ends at that point.
-- Run tests
+In case `remote_address_field` and all IPs in `x_forwarded_for_field` are
+trusted, the left-most IP of the `x_forwarded_for_field` is written to
+`target_field`.
-```sh
-bundle exec rspec
-```
+#### Configuration
+##### remote_address_field
+* type: string
+* default: `""`
-### 2. Running your unpublished Plugin in Logstash
+Name of the field that contains the layer 3 remote IP address
-#### 2.1 Run in a local Logstash clone
+##### x_forwarded_for_field
+* type: string
+* default: `""`
-- Edit Logstash `Gemfile` and add the local plugin path, for example:
-```ruby
-gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
-```
-- Install plugin
-```sh
-bin/logstash-plugin install --no-verify
-```
-- Run Logstash with your plugin
-```sh
-bin/logstash -e 'filter {awesome {}}'
-```
-At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+Name of the field that contains the X-Forwarded-For header value
-#### 2.2 Run in an installed Logstash
+##### x_forwarded_for_is_string
+* type: boolean
+* default: `false`
-You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+Specifies whether the `x_forwarded_for_field` contains a comman-separated
+string instead of an array.
-- Build your plugin gem
-```sh
-gem build logstash-filter-awesome.gemspec
-```
-- Install the plugin from the Logstash home
-```sh
-bin/logstash-plugin install /your/local/plugin/logstash-filter-awesome.gem
-```
-- Start Logstash and proceed to test the plugin
+##### trusted_networks
+* type: array
+* default: `[]`
-## Contributing
+A list of trusted networks addresses. Be sure that you only specify
+addresses that you trust will correctly manipulate the X-Forwarded-For
+header.
-All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+##### target_field
+* type: string
+* default: `"real_ip"`
-Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+Name of the field that this plugin will write the evaluated real client IP
+address to.
-It is more important to the community that you are able to contribute.
+##### tags_on_failure
+* type: array
+* default: `["_real_ip_lookup_failure"]`
-For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
+In case of error during evaluation, these tags will be set.

data/lib/logstash/filters/real_ip.rb CHANGED Viewed

@@ -6,13 +6,15 @@ require "ipaddr"
 # Evaluate an HTTP request's client address like Apache httpd's mod_remoteip or
 # Nginx's realip module.
 #
-# For an event like this:
+#
+# For an event like this...
 # [source,ruby]
 #     {
-#         "remote_addr" => "10.1.1.1"
-#         "x_fwd_for" => ["1.2.3.4", "10.2.2.2"]
+#       "remote_addr" => "10.1.1.1"
+#       "x_fwd_for" => ["1.2.3.4", "10.2.2.2"]
 #     }
-# An example configuration looks like so:
+#
+# ...an example configuration looks like so:
 # [source,ruby]
 #     filter {
 #       real_ip {
@@ -31,12 +33,15 @@ require "ipaddr"
 # an array. For ease of use the real_ip plugin provides capabilities to parse
 # such a comma-separated string. To enable this feature, use the
 # `x_forwarded_for_is_string` option.
+#
+# For an event like this...
 # [source,ruby]
 #     {
-#         "remote_addr" => "10.1.1.1"
-#         "x_fwd_for" => "1.2.3.4, 10.2.2.2"
+#       "remote_addr" => "10.1.1.1"
+#       "x_fwd_for" => "1.2.3.4, 10.2.2.2"
 #     }
-# An example configuration looks like so:
+#
+# ...an example configuration looks like so:
 # [source,ruby]
 #     filter {
 #       real_ip {
@@ -59,6 +64,18 @@ require "ipaddr"
 # `x_forwarded_for` field isn't a string.
 # * The `x_forwarded_for` field contains anything other that IP addresses.
 #
+# ==== Evaluation behavior ====
+# The plugin checks whether the `remote_address_field` is trusted, if not, it
+# will be written to `target_field`, and evaluation ends.
+#
+# Otherwise each IP in the `x_forwarded_for_field` is checked, from right to
+# left until an untrusted IP is encountered, which will be written to
+# `target_field` and evaluation ends at that point.
+#
+# In case `remote_address_field` and all IPs in `x_forwarded_for_field` are
+# trusted, the left-most IP of the `x_forwarded_for_field` is written to
+# `target_field`.
+#
 class LogStash::Filters::RealIp < LogStash::Filters::Base
   config_name "real_ip"
@@ -174,7 +191,14 @@ class LogStash::Filters::RealIp < LogStash::Filters::Base
       end
     end
-    # In case X-Forwarded-For header is set, but empty
+    # in case x_forwarded_for is empty
+    if fwdfor.length == 0
+      event.set(@target_field, remote_addr)
+      filter_matched(event)
+      return
+    end
+    # In case X-Forwarded-For header is set, but zero-length string
     if fwdfor.length == 1 and fwdfor[0].length < 1
       @logger.debug? and @logger.debug("xfwdfor header was present but empty, evaluate to remote_addr", :address => remote_addr)
       event.set(@target_field, remote_addr)
@@ -200,5 +224,11 @@ class LogStash::Filters::RealIp < LogStash::Filters::Base
       end
     end
+    # in case remote_addr and all x_forwarded_for IPs are trusted, use the
+    # left-most IP from x_forwarded_for
+    event.set(@target_field, fwdfor[0])
+    filter_matched(event)
+    return
   end # def filter
 end # class LogStash::Filters::RealIp

data/logstash-filter-real_ip.gemspec CHANGED Viewed

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name          = 'logstash-filter-real_ip'
-  s.version       = '0.1.0'
+  s.version       = '0.1.1'
   s.licenses      = ['Apache-2.0']
   s.summary       = 'Evaluates real client IP from X-Forwarded-For header'
-  s.description   = ''
+  s.description   = 'See https://github.com/fholzer/logstash-filter-real_ip/blob/master/README.md for details.'
   s.homepage      = 'https://github.com/fholzer/logstash-filter-real_ip'
   s.authors       = ['Ferdinand Holzer']
   s.email         = 'ferdinand.holzer@gmail.com'

data/spec/filters/real_ip_spec.rb CHANGED Viewed

@@ -49,6 +49,18 @@ describe LogStash::Filters::RealIp do
       expect(subject).to include("real_ip")
       expect(subject.get('real_ip')).to eq('1.2.3.4')
     end
+    sample("remote_addr" => "10.2.3.4", "xfwdfor" => ["192.168.5.6", "192.168.3.4"]) do
+      expect(subject).not_to include("tags")
+      expect(subject).to include("real_ip")
+      expect(subject.get('real_ip')).to eq('192.168.5.6')
+    end
+    sample("remote_addr" => "10.2.3.4", "xfwdfor" => []) do
+      expect(subject).not_to include("tags")
+      expect(subject).to include("real_ip")
+      expect(subject.get('real_ip')).to eq('10.2.3.4')
+    end
   end
   describe "Evaluates real IP correctly with flat string xfwfor" do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-real_ip
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Ferdinand Holzer
@@ -38,7 +38,8 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: ''
+description: See https://github.com/fholzer/logstash-filter-real_ip/blob/master/README.md
+  for details.
 email: ferdinand.holzer@gmail.com
 executables: []
 extensions: []