Fix IP blacklisting

It turns out `req.remote_addr()` is just always returning localhost with
a port. The actual IP we want is in the `X-Forwarded-For` header, which
appears to always be the a comma separated list of IPs with spaces, one
of which is the one we want.

This makes the "is this IP in there" much wonkier (why can't I call
`Vec<String>::contains(&str)`?), but this should get us what we want.
Heroku will always provide an `X-Forwarded-For` header.

Author: sgrif

src/middleware/blacklist_ips.rs

@@ -4,18 +4,17 @@ use super::prelude::*;
 
 use std::io::Cursor;
 use std::collections::HashMap;
-use std::net::IpAddr;
 
 // Can't derive debug because of Handler.
 #[allow(missing_debug_implementations)]
 #[derive(Default)]
 pub struct BlockIps {
-    ips: Vec<IpAddr>,
+    ips: Vec<String>,
     handler: Option<Box<Handler>>,
 }
 
 impl BlockIps {
-    pub fn new(ips: Vec<IpAddr>) -> Self {
+    pub fn new(ips: Vec<String>) -> Self {
         Self { ips, handler: None }
     }
 }
@@ -28,7 +27,12 @@ impl AroundMiddleware for BlockIps {
 
 impl Handler for BlockIps {
     fn call(&self, req: &mut Request) -> Result<Response, Box<Error + Send>> {
-        if self.ips.contains(&req.remote_addr().ip()) {
+        let has_blacklisted_ip = req.headers()
+            .find("X-Forwarded-For")
+            .unwrap()
+            .iter()
+            .any(|v| v.split(", ").any(|ip| self.ips.iter().any(|x| x == ip)));
+        if has_blacklisted_ip {
             let body = format!(
                 "We are unable to process your request at this time. \
                  Please open an issue at https://github.com/rust-lang/crates.io \

src/middleware/mod.rs

@@ -81,10 +81,7 @@ pub fn build_middleware(app: Arc<App>, endpoints: R404) -> MiddlewareBuilder {
     m.around(Head::default());
 
     if let Ok(ip_list) = env::var("BLACKLISTED_IPS") {
-        let ips = ip_list
-            .split(',')
-            .map(|s| s.parse().expect("Could not parse IP address"))
-            .collect();
+        let ips = ip_list.split(',').map(String::from).collect();
         m.around(blacklist_ips::BlockIps::new(ips));
     }