Ensure we recognize all private relay IPs properly

Author: mia-pi-git

src/ip-tools.ts

@@ -3,6 +3,7 @@
  */
 
 export const IPTools = new class {
+	privateRelayIPs: {minIP: number; maxIP: number}[] = [];
 	// eslint-disable-next-line max-len
 	readonly ipRegex = /^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])$/;
 	getCidrRange(cidr: string): {minIP: number; maxIP: number} | null {
@@ -51,6 +52,24 @@ export const IPTools = new class {
 		if (!range) return false;
 		return range.minIP <= ip && ip <= range.maxIP;
 	}
+
+	async loadPrivateRelayIPs() {
+		const seen = new Set<string>();
+		try {
+			const res = await (await fetch("https://mask-api.icloud.com/egress-ip-ranges.csv")).text();
+			for (const line of res.split('\n')) {
+				const [range] = line.split(',');
+				const [ip] = range.split('/');
+				if (this.ipRegex.test(ip) && !seen.has(range)) {
+					const cidr = this.getCidrRange(range);
+					if (cidr) {
+						this.privateRelayIPs.push(cidr);
+						seen.add(range);
+					}
+				}
+			}
+		} catch {}
+	}
 };
 
 export default IPTools;

src/server.ts

@@ -211,7 +211,12 @@ export class ActionContext {
 	}
 	isTrustedProxy(ip: string) {
 		// account for shit like ::ffff:127.0.0.1
-		return ip === '::ffff:127.0.0.1' || Config.trustedproxies.some(f => IPTools.checkPattern(f, ip));
+		const num = IPTools.ipToNumber(ip) || 0;
+		return (
+			ip === '::ffff:127.0.0.1' ||
+			Config.trustedproxies.some(f => IPTools.checkPattern(f, ip)) ||
+			IPTools.privateRelayIPs.some(f => f.minIP <= num && num <= f.maxIP)
+		);
 	}
 	_ip = '';
 	getIp() {
@@ -415,3 +420,5 @@ export class Server {
 		);
 	}
 }
+
+void IPTools.loadPrivateRelayIPs();