fix: allow calling internal IP ranges with relevant option

The `ResilientClient` options `ResilientClientDisallowInternalIPs` and `ResilientClientAllowInternalIPRequestsTo` were not allowing to call certain IP ranges, like 100.64.0.0/10 properly.
ory · Aug 21, 2024 · 0ca4115 · 0ca4115
1 parent 52f7d77
commit 0ca4115
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 18 deletions.
diff --git a/httpx/resilient_client_test.go b/httpx/resilient_client_test.go
@@ -13,6 +13,7 @@ import (
  "net/url"
  "sync/atomic"
  "testing"
+ "time"
 
  "github.com/hashicorp/go-retryablehttp"
  "github.com/stretchr/testify/assert"
@@ -33,11 +34,13 @@ func TestNoPrivateIPs(t *testing.T) {
 
  allowedURL := "http://localhost:" + port + "/foobar"
  allowedGlob := "http://localhost:" + port + "/glob/*"
+ allowedPrivateIP := "http://100.64.1.1:80" + "/private"
 
  c := NewResilientClient(
- ResilientClientWithMaxRetry(1),
+ ResilientClientWithMaxRetry(0),
+ ResilientClientWithConnectionTimeout(10*time.Millisecond),
  ResilientClientDisallowInternalIPs(),
- ResilientClientAllowInternalIPRequestsTo(allowedURL, allowedGlob),
+ ResilientClientAllowInternalIPRequestsTo(allowedURL, allowedGlob, allowedPrivateIP),
  )
 
  for i := 0; i < 10; i++ {
@@ -49,13 +52,51 @@ func TestNoPrivateIPs(t *testing.T) {
  "http://localhost:" + port + "/glob/bar": true,
  "http://localhost:" + port + "/glob/bar/baz": false,
  "http://localhost:" + port + "/FOOBAR": false,
+ allowedPrivateIP: true,
+ "http://100.64.8.8:" + port + "/route": false,
  } {
  _, err := c.Get(destination)
  if !passes {
  require.Errorf(t, err, "dest = %s", destination)
  assert.Containsf(t, err.Error(), "is not a permitted destination", "dest = %s", destination)
+ } else if err != nil {
+ assert.NotContainsf(t, err.Error(), "is not a permitted destination", "dest = %s", destination)
+ }
+ }
+ }
+}
+
+func TestAllowPrivateIPs(t *testing.T) {
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+ _, _ = w.Write([]byte("Hello, world!"))
+ }))
+ t.Cleanup(ts.Close)
+
+ target, err := url.ParseRequestURI(ts.URL)
+ require.NoError(t, err)
+
+ _, port, err := net.SplitHostPort(target.Host)
+ require.NoError(t, err)
+
+ c := NewResilientClient(
+ ResilientClientWithMaxRetry(0),
+ ResilientClientWithConnectionTimeout(10*time.Millisecond),
+ )
+
+ for i := 0; i < 10; i++ {
+ for destination, handled := range map[string]bool{
+ "http://127.0.0.1:" + port: true,
+ "http://localhost:" + port: true,
+ "http://192.168.178.5:" + port: false,
+ "http://localhost:" + port + "/glob/bar": true,
+ "http://100.64.1.1:" + port + "/route": false,
+ } {
+ _, err = c.Get(destination)
+ if handled {
+ require.NoError(t, err)
  } else {
- require.NoErrorf(t, err, "dest = %s", destination)
+ require.Error(t, err)
+ assert.NotContainsf(t, err.Error(), "is not a permitted destination", "dest = %s", destination)
  }
  }
  }

diff --git a/httpx/ssrf.go b/httpx/ssrf.go
@@ -8,7 +8,6 @@ import (
  "net"
  "net/http"
  "net/http/httptrace"
- "net/netip"
  "time"
 
  "code.dny.dev/ssrf"
@@ -88,15 +87,10 @@ func init() {
  ssrf.WithAnyPort(),
  ssrf.WithNetworks("tcp4", "tcp6"),
  ssrf.WithAllowedV4Prefixes(
- netip.MustParsePrefix("10.0.0.0/8"), // Private-Use (RFC 1918)
- netip.MustParsePrefix("127.0.0.0/8"), // Loopback (RFC 1122, Section 3.2.1.3))
- netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
- netip.MustParsePrefix("172.16.0.0/12"), // Private-Use (RFC 1918)
- netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
+ ssrf.IPv4DeniedPrefixes...,
  ),
  ssrf.WithAllowedV6Prefixes(
- netip.MustParsePrefix("::1/128"), // Loopback (RFC 4193)
- netip.MustParsePrefix("fc00::/7"), // Unique Local (RFC 4193)
+ ssrf.IPv6DeniedPrefixes...,
  ),
  ).Safe
  allowInternalAllowIPv6 = otelTransport(t)
@@ -108,15 +102,10 @@ func init() {
  ssrf.WithAnyPort(),
  ssrf.WithNetworks("tcp4"),
  ssrf.WithAllowedV4Prefixes(
- netip.MustParsePrefix("10.0.0.0/8"), // Private-Use (RFC 1918)
- netip.MustParsePrefix("127.0.0.0/8"), // Loopback (RFC 1122, Section 3.2.1.3))
- netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
- netip.MustParsePrefix("172.16.0.0/12"), // Private-Use (RFC 1918)
- netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
+ ssrf.IPv4DeniedPrefixes...,
  ),
  ssrf.WithAllowedV6Prefixes(
- netip.MustParsePrefix("::1/128"), // Loopback (RFC 4193)
- netip.MustParsePrefix("fc00::/7"), // Unique Local (RFC 4193)
+ ssrf.IPv6DeniedPrefixes...,
  ),
  ).Safe
  t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {