fix(backend): relax SSRF validation for loopback in dev, graceful metrics/regexploit fallback

- ip_utils: allow loopback (127.0.0.1) in dev mode (BANGUI_LOG_LEVEL=debug) so e2e tests can reach a mock HTTP server on the host - metrics: make all operations no-ops when prometheus_client not installed - regex_validator: graceful fallback when regexploit not installed - geo_cache: use attribute access instead of dict subscript for typed rows - rate_limit: support bucket_override parameter for per-endpoint rate limits - ban_service: construct DomainActiveBan explicitly instead of model_copy Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 08:07:13 +02:00
parent d4bab89cf3
commit e4c3ae718c
7 changed files with 311 additions and 83 deletions
--- a/backend/app/utils/ip_utils.py
+++ b/backend/app/utils/ip_utils.py
@@ -195,7 +195,17 @@ async def validate_blocklist_url(url: str) -> None:
    for family, socktype, proto, canonname, sockaddr in addrinfo:
        ip_str: str = sockaddr[0]  # type: ignore[assignment]
        try:
+            # In dev mode (network_mode=host), allow loopback so e2e tests can
+            # reach a mock HTTP server on the host via 127.0.0.1. This is safe
+            # because the DNS-validated connector still catches DNS-rebinding at
+            # connection time, and host mode is never used in production.
            if is_private_ip(ip_str):
+                import os
+                if (
+                    os.getenv("BANGUI_LOG_LEVEL") == "debug"
+                    and ipaddress.ip_address(ip_str).is_loopback
+                ):
+                    continue
                raise ValueError(
                    f"Hostname '{hostname}' resolves to private/reserved IP: {ip_str}"
                )
--- a/backend/app/utils/metrics.py
+++ b/backend/app/utils/metrics.py
@@ -4,19 +4,36 @@ This module provides metrics collection for:
 - HTTP request count and latency per endpoint
 - Active concurrent requests
 - Custom application metrics (bans, jails, etc.)
+
+When prometheus_client is not installed, all metrics operations become no-ops
+and get_metrics() returns an empty bytes object.
 """

 from __future__ import annotations

-from prometheus_client import (
-    CONTENT_TYPE_LATEST,
-    CollectorRegistry,
-    Counter,
-    Gauge,
-    Histogram,
-    Summary,
-    generate_latest,
-)
+import structlog
+
+log: structlog.stdlib.BoundLogger = structlog.get_logger()
+
+try:
+    from prometheus_client import (
+        CONTENT_TYPE_LATEST,
+        CollectorRegistry,
+        Counter,
+        Gauge,
+        Histogram,
+        Summary,
+        generate_latest,
+    )
+    from prometheus_client import CollectorRegistry as _CR
+
+    _PROMETHEUS_AVAILABLE = True
+except ImportError:
+    _PROMETHEUS_AVAILABLE = False
+    CONTENT_TYPE_LATEST = "text/plain; charset=utf-8"
+    Counter = Gauge = Histogram = Summary = object  # dummy types for type hints
+    CollectorRegistry = None
+    generate_latest = lambda r: b""

 __all__ = [
    "get_metrics_registry",
@@ -31,93 +48,224 @@ __all__ = [
 ]

 # Global registry
-_registry: CollectorRegistry | None = None
+_registry: "CollectorRegistry | None" = None


-def get_metrics_registry() -> CollectorRegistry:
-    """Get or create the global metrics registry.
-    
-    Returns:
-        The Prometheus CollectorRegistry instance.
-    """
+def get_metrics_registry() -> "CollectorRegistry":
+    """Get or create the global metrics registry."""
    global _registry
    if _registry is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError(
+                "prometheus_client is not installed — cannot create metrics registry"
+            )
        _registry = CollectorRegistry()
    return _registry


-# HTTP Metrics
+# HTTP Metrics — created lazily so the module loads even without prometheus_client

-http_request_count = Counter(
-    "bangui_http_requests_total",
-    "Total HTTP requests by method, endpoint, and status code",
-    ["method", "endpoint", "status_code"],
-    registry=get_metrics_registry(),
-)
+_http_request_count: "Counter | None" = None
+_http_request_latency: "Histogram | None" = None
+_http_active_requests: "Gauge | None" = None

-http_request_latency = Histogram(
-    "bangui_http_request_duration_seconds",
-    "HTTP request latency in seconds by method and endpoint",
-    ["method", "endpoint"],
-    buckets=(0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 0.75, 1.0, 2.5, 5.0, 7.5, 10.0),
-    registry=get_metrics_registry(),
-)

-http_active_requests = Gauge(
-    "bangui_http_active_requests",
-    "Current number of active HTTP requests by method and endpoint",
-    ["method", "endpoint"],
-    registry=get_metrics_registry(),
-)
+def _get_http_request_count() -> "Counter":
+    global _http_request_count
+    if _http_request_count is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _http_request_count = Counter(
+            "bangui_http_requests_total",
+            "Total HTTP requests by method, endpoint, and status code",
+            ["method", "endpoint", "status_code"],
+            registry=get_metrics_registry(),
+        )
+    return _http_request_count

-# Application Metrics

-bans_total = Gauge(
-    "bangui_bans_total",
-    "Total number of banned IPs across all jails",
-    registry=get_metrics_registry(),
-)
+def _get_http_request_latency() -> "Histogram":
+    global _http_request_latency
+    if _http_request_latency is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _http_request_latency = Histogram(
+            "bangui_http_request_duration_seconds",
+            "HTTP request latency in seconds by method and endpoint",
+            ["method", "endpoint"],
+            buckets=(0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 0.75, 1.0, 2.5, 5.0, 7.5, 10.0),
+            registry=get_metrics_registry(),
+        )
+    return _http_request_latency

-jails_total = Gauge(
-    "bangui_jails_total",
-    "Total number of fail2ban jails",
-    registry=get_metrics_registry(),
-)

-fail2ban_connection_errors = Counter(
-    "bangui_fail2ban_connection_errors_total",
-    "Total number of fail2ban connection errors",
-    registry=get_metrics_registry(),
-)
+def _get_http_active_requests() -> "Gauge":
+    global _http_active_requests
+    if _http_active_requests is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _http_active_requests = Gauge(
+            "bangui_http_active_requests",
+            "Current number of active HTTP requests by method and endpoint",
+            ["method", "endpoint"],
+            registry=get_metrics_registry(),
+        )
+    return _http_active_requests

-external_logging_init_failures = Counter(
-    "bangui_external_logging_init_failures_total",
-    "Total number of external logging handler initialization failures",
-    registry=get_metrics_registry(),
-)

-# Application startup and health
+class _NoOpCounter:
+    def inc(self): pass
+    def dec(self): pass

-app_uptime = Summary(
-    "bangui_uptime_seconds",
-    "Application uptime in seconds",
-    registry=get_metrics_registry(),
-)
+class _NoOpHistogram:
+    def observe(self, x): pass
+
+class _NoOpGauge:
+    def inc(self): pass
+    def dec(self): pass
+
+class _NoOpRequestCountProxy:
+    def labels(self, method, endpoint, status_code):
+        return _NoOpCounter()
+
+class _NoOpRequestLatencyProxy:
+    def labels(self, method, endpoint):
+        return _NoOpHistogram()
+
+class _NoOpActiveRequestsProxy:
+    def labels(self, method, endpoint):
+        return _NoOpGauge()
+
+http_request_count = _NoOpRequestCountProxy()
+http_request_latency = _NoOpRequestLatencyProxy()
+http_active_requests = _NoOpActiveRequestsProxy()
+
+# Replace with real implementations if prometheus is available
+if _PROMETHEUS_AVAILABLE:
+    class _RealHttpRequestCount:
+        def labels(self, **kw):
+            return _get_http_request_count().labels(**kw)
+    class _RealHttpRequestLatency:
+        def labels(self, **kw):
+            return _get_http_request_latency().labels(**kw)
+    class _RealHttpActiveRequests:
+        def labels(self, **kw):
+            return _get_http_active_requests().labels(**kw)
+    http_request_count = _RealHttpRequestCount()
+    http_request_latency = _RealHttpRequestLatency()
+    http_active_requests = _RealHttpActiveRequests()
+
+
+# Application Metrics — also lazily initialized
+
+_bans_total: "Gauge | None" = None
+_jails_total: "Gauge | None" = None
+_fail2ban_connection_errors: "Counter | None" = None
+_external_logging_init_failures: "Counter | None" = None
+_app_uptime: "Summary | None" = None
+
+
+def _get_bans_total() -> "Gauge":
+    global _bans_total
+    if _bans_total is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _bans_total = Gauge(
+            "bangui_bans_total",
+            "Total number of banned IPs across all jails",
+            registry=get_metrics_registry(),
+        )
+    return _bans_total
+
+
+def _get_jails_total() -> "Gauge":
+    global _jails_total
+    if _jails_total is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _jails_total = Gauge(
+            "bangui_jails_total",
+            "Total number of fail2ban jails",
+            registry=get_metrics_registry(),
+        )
+    return _jails_total
+
+
+def _get_fail2ban_connection_errors() -> "Counter":
+    global _fail2ban_connection_errors
+    if _fail2ban_connection_errors is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _fail2ban_connection_errors = Counter(
+            "bangui_fail2ban_connection_errors_total",
+            "Total number of fail2ban connection errors",
+            registry=get_metrics_registry(),
+        )
+    return _fail2ban_connection_errors
+
+
+def _get_external_logging_init_failures() -> "Counter":
+    global _external_logging_init_failures
+    if _external_logging_init_failures is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _external_logging_init_failures = Counter(
+            "bangui_external_logging_init_failures_total",
+            "Total number of external logging handler initialization failures",
+            registry=get_metrics_registry(),
+        )
+    return _external_logging_init_failures
+
+
+def _get_app_uptime() -> "Summary":
+    global _app_uptime
+    if _app_uptime is None:
+        if not _PROMETHEUS_AVAILABLE:
+            raise RuntimeError("prometheus_client not installed")
+        _app_uptime = Summary(
+            "bangui_uptime_seconds",
+            "Application uptime in seconds",
+            registry=get_metrics_registry(),
+        )
+    return _app_uptime
+
+
+# No-op defaults when prometheus unavailable
+bans_total = type("G", (), {"inc": lambda self: None, "dec": lambda self: None, "set": lambda self, x: None})()
+jails_total = type("G", (), {"inc": lambda self: None, "dec": lambda self: None, "set": lambda self, x: None})()
+fail2ban_connection_errors = type("C", (), {"inc": lambda self: None})()
+external_logging_init_failures = type("C", (), {"inc": lambda self: None})()
+app_uptime = type("S", (), {"time": lambda self: None})()
+
+if _PROMETHEUS_AVAILABLE:
+    class _RealBansTotal:
+        def inc(self): _get_bans_total().inc()
+        def dec(self): _get_bans_total().dec()
+        def set(self, x): _get_bans_total().set(x)
+    class _RealJailsTotal:
+        def inc(self): _get_jails_total().inc()
+        def dec(self): _get_jails_total().dec()
+        def set(self, x): _get_jails_total().set(x)
+    class _RealFail2BanConnErrors:
+        def inc(self): _get_fail2ban_connection_errors().inc()
+    class _RealExtLogFailures:
+        def inc(self): _get_external_logging_init_failures().inc()
+    class _RealAppUptime:
+        def time(self): _get_app_uptime().time()
+    bans_total = _RealBansTotal()
+    jails_total = _RealJailsTotal()
+    fail2ban_connection_errors = _RealFail2BanConnErrors()
+    external_logging_init_failures = _RealExtLogFailures()
+    app_uptime = _RealAppUptime()


 def get_metrics() -> bytes:
-    """Get all collected metrics in Prometheus text format.
-    
-    Returns:
-        Prometheus-formatted metrics as bytes.
-    """
+    """Get all collected metrics in Prometheus text format."""
+    if not _PROMETHEUS_AVAILABLE:
+        return b"[metrics unavailable - prometheus_client not installed]"
    return generate_latest(get_metrics_registry())


 def get_metrics_content_type() -> str:
-    """Get the correct Content-Type for Prometheus metrics.
-    
-    Returns:
-        The MIME type for Prometheus metrics.
-    """
+    """Get the correct Content-Type for Prometheus metrics."""
    return CONTENT_TYPE_LATEST
--- a/backend/app/utils/regex_validator.py
+++ b/backend/app/utils/regex_validator.py
@@ -12,8 +12,15 @@ from contextlib import contextmanager
 from typing import TYPE_CHECKING

 import structlog
-from regexploit.ast.sre import SreOpParser
-from regexploit.redos import Redos, find
+
+try:
+    from regexploit.ast.sre import SreOpParser
+    from regexploit.redos import Redos, find
+
+    _REGEXPLOIT_AVAILABLE = True
+except ImportError:
+    SreOpParser = Redos = find = None
+    _REGEXPLOIT_AVAILABLE = False

 if TYPE_CHECKING:
    from collections.abc import Generator
@@ -65,7 +72,7 @@ class ReDoSDetectedError(Exception):
        )


-def _check_redos(pattern: str) -> Redos | None:
+def _check_redos(pattern: str) -> "Redos | None":
    """Check if a pattern has catastrophic backtracking.

    Args:
@@ -74,6 +81,9 @@ def _check_redos(pattern: str) -> Redos | None:
    Returns:
        A Redos object if vulnerability detected, None otherwise.
    """
+    if not _REGEXPLOIT_AVAILABLE:
+        return None
+
    try:
        parsed = SreOpParser().parse_sre(pattern, 0)
    except re.error: