Skip to content

Commit b34f67d

Browse files
rubenreyes2000rubenreyes2000
committed
Add IP validation functionality
1 parent 7ec2533 commit b34f67d

File tree

2 files changed

+47
-0
lines changed

2 files changed

+47
-0
lines changed

deploy-config.orig.php

+12
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,18 @@
88
/* DISABLED: Set to true to prevent the execution of this script. cript only when needed */
99
define('DISABLED', false);
1010

11+
/* IP_ALLOW:
12+
* Array of IP addresses and ranges in CIDR notation that are allowed to execute
13+
* the script. Supports IPv4 and IPv6. Leave array empty to allow all IPs.
14+
* GitHub IP ranges are 192.30.252.0/22 and 2620:112:3000::/44
15+
* (https://help.github.com/articles/github-s-ip-addresses/)
16+
* BitBucket IP ranges are 104.192.143.192/28 and 2401:1d80:1010::/64
17+
* (https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html)
18+
*
19+
*/
20+
define('IP_ALLOW', serialize(array(
21+
)));
22+
1123
/*
1224
* REMOTE_REPOSITORY:
1325
* Address of the remote Git repo. For private repos use the SSH address

deploy.php

+35
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,41 @@ function endScript() {
100100
$fh = fopen(__DIR__ . '/deploy.lock', 'w');
101101
fclose($fh);
102102

103+
// Check if IP is allowed
104+
if(defined('IP_ALLOW') && count(unserialize(IP_ALLOW))) {
105+
$allow = false;
106+
foreach(unserialize(IP_ALLOW) as $ip_allow) {
107+
if(strpos($ip_allow, '/') === false) {
108+
// Single IP
109+
if(inet_pton($_SERVER['REMOTE_ADDR']) == inet_pton($ip_allow)) {
110+
$allow = true;
111+
break;
112+
}
113+
}
114+
else {
115+
// IP range
116+
list($subnet, $bits) = explode('/', $ip_allow);
117+
// Convert subnet to binary string of $bits length
118+
$subnet = unpack('H*', inet_pton($subnet));
119+
foreach($subnet as $i => $h) $subnet[$i] = base_convert($h, 16, 2);
120+
$subnet = substr(implode('', $subnet), 0, $bits);
121+
// Convert remote IP to binary string of $bits length
122+
$ip = unpack('H*', inet_pton($_SERVER['REMOTE_ADDR']));
123+
foreach($ip as $i => $h) $ip[$i] = base_convert($h, 16, 2);
124+
$ip = substr(implode('', $ip), 0, $bits);
125+
if($subnet == $ip) {
126+
$allow = true;
127+
break;
128+
}
129+
}
130+
}
131+
if(!$allow) {
132+
errorPage('<h2>Access Denied</h2>');
133+
endScript();
134+
die();
135+
}
136+
}
137+
103138
// If there's authorization error
104139
if (!isset($_GET['t']) || $_GET['t'] !== ACCESS_TOKEN || DISABLED === true) {
105140
errorPage('<h2>Access Denied</h2>');

0 commit comments

Comments
 (0)