AllowDebugAccess reports whether r should be permitted to access various debug endpoints.
(r *http.Request)
| 102 | // AllowDebugAccess reports whether r should be permitted to access |
| 103 | // various debug endpoints. |
| 104 | func AllowDebugAccess(r *http.Request) bool { |
| 105 | if allowDebugAccessWithKey(r) { |
| 106 | return true |
| 107 | } |
| 108 | if r.Header.Get("X-Forwarded-For") != "" { |
| 109 | // TODO if/when needed. For now, conservative: |
| 110 | return false |
| 111 | } |
| 112 | ipStr, _, err := net.SplitHostPort(r.RemoteAddr) |
| 113 | if err != nil { |
| 114 | return false |
| 115 | } |
| 116 | ip, err := netip.ParseAddr(ipStr) |
| 117 | if err != nil { |
| 118 | return false |
| 119 | } |
| 120 | if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") { |
| 121 | return true |
| 122 | } |
| 123 | if cidrsContain(trustedCIDRs(), ip) { |
| 124 | return true |
| 125 | } |
| 126 | return false |
| 127 | } |
| 128 | |
| 129 | func allowDebugAccessWithKey(r *http.Request) bool { |
| 130 | if r.Method != "GET" { |
no test coverage detected
searching dependent graphs…