Add a BlockUntrustedIps middleware

2 files changed, 26 insertions, 0 deletions

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index 479ea959e6..1abb283b11 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -42,6 +42,7 @@ module ActionDispatch
   end
 
   autoload_under 'middleware' do
+    autoload :BlockUntrustedIps
     autoload :Callbacks
     autoload :Cascade
     autoload :Cookies
diff --git a/actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb b/actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb
new file mode 100644
index 0000000000..8aed0c45a6
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/block_untrusted_ips.rb
@@ -0,0 +1,25 @@
+module ActionDispatch
+  class BlockUntrustedIps
+    class SpoofAttackError < StandardError ; end
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      if @env['HTTP_X_FORWARDED_FOR'] && @env['HTTP_CLIENT_IP']
+        remote_ips = @env['HTTP_X_FORWARDED_FOR'].split(',')
+
+        unless remote_ips.include?(@env['HTTP_CLIENT_IP'])
+          http_client_ip     = @env['HTTP_CLIENT_IP'].inspect
+          http_forwarded_for = @env['HTTP_X_FORWARDED_FOR'].inspect
+
+          raise SpoofAttackError, "IP spoofing attack?!\n  " \
+            "HTTP_CLIENT_IP=#{http_client_ip}\n  HTTP_X_FORWARDED_FOR=http_forwarded_for"
+        end
+      end
+
+      @app.call(env)
+    end
+  end
+end
\ No newline at end of file