Fix: Refactor variable initialization in checkRepeatingBruteForcer

Reorganized variable declarations for clarity and consistency. Added an additional check to properly parse CIDR notation for networks, enhancing the error-checking mechanism and setting the `network` variable for upstream tasks. Signed-off-by: Christian Roessner <c@roessner.co>
croessner · Oct 25, 2024 · 9b849c3 · 9b849c3
1 parent ac0adef
commit 9b849c3
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/server/core/bruteforce.go b/server/core/bruteforce.go
@@ -796,7 +796,10 @@ func processBruteForce(auth *AuthState, ruleTriggered, alreadyTriggered bool, ru
 // checkRepeatingBruteForcer analyzes if a network partakes in repeated brute force attempts according to specified rules.
 // It returns a boolean indicating an error, whether a brute force rule already triggered, and the rule number.
 func checkRepeatingBruteForcer(auth *AuthState, rules []config.BruteForceRule, network *net.IPNet, message *string) (withError bool, alreadyTriggered bool, ruleNumber int) {
-	var err error
+	var (
+		ruleName string
+		err      error
+	)
 
 	for ruleNumber = range rules {
 		if network, err = auth.getNetwork(&rules[ruleNumber]); err != nil {
@@ -807,7 +810,11 @@ func checkRepeatingBruteForcer(auth *AuthState, rules []config.BruteForceRule, n
 			continue
 		}
 
-		if ruleName, err := auth.getPreResultBruteForceRedis(&rules[ruleNumber]); ruleName != "" && err == nil {
+		if ruleName, err = auth.getPreResultBruteForceRedis(&rules[ruleNumber]); ruleName != "" && err == nil {
+			if _, network, err = net.ParseCIDR(fmt.Sprintf("%s/%d", auth.ClientIP, rules[ruleNumber].CIDR)); err != nil {
+				withError = true
+			}
+
 			alreadyTriggered = true
 			*message = "Brute force attack detected (cached result)"
 			stats.BruteForceRejected.WithLabelValues(ruleName).Inc()