Merge pull request dubinc#2366 from dubinc/bot-ip-range

steven-tey · web-flow · commit 8fb0f5003ebb · 2025-04-29T16:55:25.000-07:00
Add IP_RANGES_BOTS
diff --git a/apps/web/lib/middleware/utils/bots-list.ts b/apps/web/lib/middleware/utils/bots-list.ts
@@ -33,6 +33,7 @@ export const UA_BOTS = [
   "cron-job",
   "InternetMeasurement",
   "HostTracker",
+  "Expanse", // Expanse (Palo Alto Networks)
 
   // AI bots
   "anthropic-ai", // Anthropic AI
@@ -90,3 +91,11 @@ export const IP_BOTS = [
   "34.105.67.76", // The Dalles
   "154.28.229.7", // Ashburn
 ];
+
+export const IP_RANGES_BOTS = [
+  "159.148.128.0/24", // weird bot activity from Miami
+
+  // Expanse (Palo Alto Networks)
+  "198.235.24.0/24",
+  "205.210.31.0/24",
+];
diff --git a/apps/web/lib/middleware/utils/detect-bot.ts b/apps/web/lib/middleware/utils/detect-bot.ts
@@ -1,6 +1,7 @@
 import { ipAddress } from "@vercel/functions";
 import { userAgent } from "next/server";
-import { IP_BOTS, UA_BOTS } from "./bots-list";
+import { IP_BOTS, IP_RANGES_BOTS, UA_BOTS } from "./bots-list";
+import { isIpInRange } from "./is-ip-in-range";
 
 export const detectBot = (req: Request) => {
   const searchParams = new URL(req.url).searchParams;
@@ -23,9 +24,11 @@ export const detectBot = (req: Request) => {
     return false;
   }
 
-  if (ip.includes("/")) {
-    ip = ip.split("/")[0];
+  // Check exact IP matches
+  if (IP_BOTS.includes(ip)) {
+    return true;
   }
 
-  return IP_BOTS.includes(ip);
+  // Check CIDR ranges
+  return IP_RANGES_BOTS.some((range) => isIpInRange(ip, range));
 };
diff --git a/apps/web/lib/middleware/utils/is-ip-in-range.ts b/apps/web/lib/middleware/utils/is-ip-in-range.ts
@@ -0,0 +1,49 @@
+// Helper function to check if an IP is in a CIDR range
+export const isIpInRange = (ip: string, cidr: string): boolean => {
+  // Validate CIDR format
+  const cidrRegex = /^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$/;
+  if (!cidrRegex.test(cidr)) {
+    return false;
+  }
+
+  const [rangeIp, prefix] = cidr.split("/");
+  const prefixLength = parseInt(prefix);
+
+  // Validate prefix length
+  if (prefixLength < 0 || prefixLength > 32) {
+    return false;
+  }
+
+  // Validate IP format
+  const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+  if (!ipRegex.test(ip)) {
+    return false;
+  }
+
+  // Convert IPs to binary
+  const ipToBinary = (ip: string) => {
+    return ip
+      .split(".")
+      .map((octet) => {
+        const num = parseInt(octet);
+        // Validate octet range
+        if (num < 0 || num > 255) {
+          throw new Error("Invalid IP octet");
+        }
+        return num.toString(2).padStart(8, "0");
+      })
+      .join("");
+  };
+
+  try {
+    const ipBinary = ipToBinary(ip);
+    const rangeBinary = ipToBinary(rangeIp);
+
+    // Compare the network portions
+    return (
+      ipBinary.slice(0, prefixLength) === rangeBinary.slice(0, prefixLength)
+    );
+  } catch {
+    return false;
+  }
+};
diff --git a/apps/web/tests/misc/ip-cidr.test.ts b/apps/web/tests/misc/ip-cidr.test.ts
@@ -0,0 +1,48 @@
+import { isIpInRange } from "@/lib/middleware/utils/is-ip-in-range";
+import { describe, expect, it } from "vitest";
+
+describe("CIDR Range Checking", () => {
+  describe("isIpInRange", () => {
+    it("should return true for IPs in the range", () => {
+      // Test with /24 range (256 IPs)
+      expect(isIpInRange("159.148.128.0", "159.148.128.0/24")).toBe(true);
+      expect(isIpInRange("159.148.128.1", "159.148.128.0/24")).toBe(true);
+      expect(isIpInRange("159.148.128.255", "159.148.128.0/24")).toBe(true);
+
+      // Test with /16 range (65,536 IPs)
+      expect(isIpInRange("159.148.0.0", "159.148.0.0/16")).toBe(true);
+      expect(isIpInRange("159.148.255.255", "159.148.0.0/16")).toBe(true);
+    });
+
+    it("should return false for IPs outside the range", () => {
+      // Test with /24 range
+      expect(isIpInRange("159.148.127.255", "159.148.128.0/24")).toBe(false);
+      expect(isIpInRange("159.148.129.0", "159.148.128.0/24")).toBe(false);
+
+      // Test with /16 range
+      expect(isIpInRange("159.147.255.255", "159.148.0.0/16")).toBe(false);
+      expect(isIpInRange("159.149.0.0", "159.148.0.0/16")).toBe(false);
+    });
+
+    it("should handle different CIDR prefix lengths", () => {
+      // Test with /32 (single IP)
+      expect(isIpInRange("192.168.1.1", "192.168.1.1/32")).toBe(true);
+      expect(isIpInRange("192.168.1.2", "192.168.1.1/32")).toBe(false);
+
+      // Test with /8 (16,777,216 IPs)
+      expect(isIpInRange("10.0.0.0", "10.0.0.0/8")).toBe(true);
+      expect(isIpInRange("10.255.255.255", "10.0.0.0/8")).toBe(true);
+      expect(isIpInRange("11.0.0.0", "10.0.0.0/8")).toBe(false);
+    });
+
+    it("should handle edge cases", () => {
+      // Test with 0.0.0.0
+      expect(isIpInRange("0.0.0.0", "0.0.0.0/0")).toBe(true);
+      expect(isIpInRange("255.255.255.255", "0.0.0.0/0")).toBe(true);
+
+      // Test with invalid inputs
+      expect(isIpInRange("invalid-ip", "159.148.128.0/24")).toBe(false);
+      expect(isIpInRange("159.148.128.0", "invalid-cidr")).toBe(false);
+    });
+  });
+});
