Validate Reject IP size

2025-12-12 01:00:34 +08:00 · 2025-06-22 18:27:17 +08:00 · 2025-06-22 18:27:17 +08:00 · 72d7831532
commit 72d7831532
parent f190da5c0e
2 changed files with 32 additions and 8 deletions
--- a/Build/build-reject-domainset.ts
+++ b/Build/build-reject-domainset.ts
@ -189,7 +189,13 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
      span.traceChildAsync(
        'get botnet ips',
        () => fetchAssets(...BOTNET_FILTER, true, true)
-      ).then(arr => rejectIPOutput.bulkAddAnyCIDR(arr, false)),
+      ).then(arr => {
+        if (arr.length > 2000) {
+          throw new Error('Too many botnet ips, please check the source of BOTNET_FILTER');
+        }
+        return rejectIPOutput.bulkAddAnyCIDR(arr, false);
+      }),
+
      span.traceChildAsync(
        'get bogus nxdomain ips',
        () => fetchAssets(...BOGUS_NXDOMAIN_DNSMASQ, true, false)
@ -197,18 +203,21 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
            for (let i = 0, len = arr.length; i < len; i++) {
              const line = arr[i];
              if (line.startsWith('bogus-nxdomain=')) {
-                arr[i] = line.slice(15).trim();
+                // bogus nxdomain needs to be blocked even after resolved
+                rejectIPOutput.addAnyCIDR(
+                  line.slice(15).trim(),
+                  false
+                );
              }
            }

            return arr;
          })
-        // bogus nxdomain needs to be blocked even after resolved
-      ).then(arr => rejectIPOutput.bulkAddAnyCIDR(arr, false))
+      )
    ].flat()));

  if (foundDebugDomain.value) {
-    // eslint-disable-next-line sukka/unicorn/no-process-exit -- cli App
+  // eslint-disable-next-line sukka/unicorn/no-process-exit -- cli App
    process.exit(1);
  }

@ -227,8 +236,8 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
      rejectExtraDomainsetOutput.whitelistDomain(domain);
      rejectPhisingDomainsetOutput.whitelistDomain(domain);

-      // DON'T Whitelist reject non_ip ruleset, we are force blocking thingshere
-      // rejectNonIpRulesetOutput.whitelistDomain(domain);
+    // DON'T Whitelist reject non_ip ruleset, we are force blocking thingshere
+    // rejectNonIpRulesetOutput.whitelistDomain(domain);
    }

    // we use "whitelistKeyword" method, this will be used to create kwfilter internally
@ -267,7 +276,7 @@ export const buildRejectDomainSet = task(require.main === module, __filename)(as
  rejectOutputAdGuardHome.domainTrie = rejectDomainsetOutput.domainTrie;

  await rejectOutputAdGuardHome
-    // .addFromRuleset(readLocalMyRejectRulesetPromise)
+  // .addFromRuleset(readLocalMyRejectRulesetPromise)
    .addFromRuleset(readLocalRejectRulesetPromise)
    .addFromRuleset(readFileIntoProcessedArray(path.join(SOURCE_DIR, 'non_ip/reject-drop.conf')))
    .addFromRuleset(readFileIntoProcessedArray(path.join(SOURCE_DIR, 'non_ip/reject-no-drop.conf')))
--- a/Build/lib/rules/base.ts
+++ b/Build/lib/rules/base.ts
@ -250,6 +250,21 @@ export class FileOutput {
    return ip + '/128';
  };

+  addAnyCIDR(cidr: string, noResolve = false) {
+    const version = fastIpVersion(cidr);
+    if (version === 0) return this;
+
+    let list: Set<string>;
+    if (version === 4) {
+      list = noResolve ? this.ipcidrNoResolve : this.ipcidr;
+    } else /* if (version === 6) */ {
+      list = noResolve ? this.ipcidr6NoResolve : this.ipcidr6;
+    }
+
+    list.add(FileOutput.ipToCidr(cidr, version));
+    return this;
+  }
+
  bulkAddAnyCIDR(cidrs: string[], noResolve = false) {
    const list4 = noResolve ? this.ipcidrNoResolve : this.ipcidr;
    const list6 = noResolve ? this.ipcidr6NoResolve : this.ipcidr6;