search

unosquare / embedio

A tiny, cross-platform, module based web server for .NET
http://unosquare.github.io/embedio
Other
1.45k stars 175 forks source link

IPBanningModule cannot be used twice with the same base route #545

Open rdeago opened 2 years ago

rdeago commented 2 years ago

EmbedIO version

3.4.3 (actually, any version since the introduction of IPBanningModule).

Describe the bug

IPBanningModule relies on a static registry of banning configurations, indexed by base route,

The implementation does not account for the following use cases:

Module groups

If one or more module groups contain IPBanningModules with the same base route (which is typically "/"), they will share the same configuration. For example, any IP address that is backlisted in an IPBanningModule with a base route of "/" will be blacklisted in all IPBanningModules with the same base route.

"Module group" in this context means either a ModuleGroup, or the set of modules directly contained in the web server itself.

Multiple web servers

If there exist more than one web server in the same AppDomain, each with at least one IPBanningModule, and two or more IPBanningModules among all existing web servers have the same base route, they will share the same configuration.

Additionally, as soon as one of the web servers is disposed, their IP banning configurations will be removed from the static registry. This will not cause other servers' IPBanningModules to fail, as they retain a reference to their configuration, but IPBanningExecutor's periodic purging routine will no longer purge the configuration of any disposed IPBanningModule, making bans effectively permanent for all IPBanningModules sharing those configurations.

To Reproduce

Steps to reproduce the behavior:

  1. Create two WebServers in the same application, responding to different ports;
  2. Add an IPBanningModule, with a base route of "/" to both servers;
  3. Configure just one of the IPBanningModules to blacklist 127.0.0.1 as a client IP address;
  4. Verify that you cannot access the home page of neither server from the local computer, just as if 127.0.0.1 were blacklisted.

Expected behavior

The configuration of an IPBanningModule should have absolutely no influence on the configuration of any other module.

Server configuration

This bug does not depend on any specific configration.

Client configuration

This bug does not depend on any specific configration.

rdeago commented 2 years ago

Pinging @k3z0 and @geoperez as original authors of IPBanningModule.

radioegor146 commented 2 years ago

Why this kind of cache is used by the way? Shouldn't it just work as config per IPBanningModule instance?