🐛 Fiber will never start with big IP networks in config.TrustedProxies #1607
Description
Fiber version
2.21.0
Issue description
Recently I asked for a feature: #1600. Next day it was implemented by #1602. Thanks, but I think this solution is very dangerous.
Let's see how current solution works:
// Iterates IP address which is between range
for ip := ip.Mask(ipnet.Mask); ipnet.Contains(ip); utils.IncrementIPRange(ip) {
app.config.trustedProxiesMap[ip.String()] = struct{}{}
}Actually, this solution just adds all IP adresses that networks contains in trustedProxiesMap, one by one.
Look at Cloudflare – most popular proxy for websites and, I think, the most popular case. What happens if we add all IPv4 Cloudflare networks to config.TrustedProxies? trustedProxiesMap will contain 1 786 880 IPs! Although it is extremely inefficient on memory, it can still be OK. But try to add at least one IPv6 Cloudflare IP network, and fiber will never finish adding IPs to trustedProxiesMap.
Spoiler
If we add all Cloudflare IPv6 networks, fiber need to process 1 109 194 275 199 700 726 309 617 091 584 IPs.Code snippet
Just add all cloudflare (or any other big) IP networks to config to reproduce.
Cloudflare networks
[]string{
"103.21.244.0/22",
"103.22.200.0/22",
"103.31.4.0/22",
"104.16.0.0/12",
"108.162.192.0/18",
"131.0.72.0/22",
"141.101.64.0/18",
"162.158.0.0/15",
"172.64.0.0/13",
"173.245.48.0/20",
"188.114.96.0/20",
"190.93.240.0/20",
"197.234.240.0/22",
"198.41.128.0/17",
"2400:cb00::/32",
"2606:4700::/32",
"2803:f800::/32",
"2405:b500::/32",
"2405:8100::/32",
"2a06:98c0::/29",
"2c0f:f248::/32",
}