You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a ResilientClient that is allowed calling internal IPs, some internal IP ranges are still blocked.
TL;DR:
The IP range 100.64.0.0/10 is blocked by the ResilientClient, even if we allow internal IPs or if we whitelist this specific IP.
Thus, there is no way to pass it.
Expected behaviour:
c := NewResilientClient()
c.Get("http://100.64.1.1:80/route")
should work, but instead we get an error:
[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)
c := NewResilientClient(
ResilientClientDisallowInternalIPs(),
)
c.Get("http://100.64.1.1:80/route")
Additionally, the ResilientClientAllowInternalIPRequestsTo option will not work as expected for these ranges.
Example:
c := NewResilientClient(
ResilientClientDisallowInternalIPs(),
ResilientClientAllowInternalIPRequestsTo("http://100.64.1.1:80/route"),
)
c.Get("http://100.64.1.1:80/route")
should work, but instead we get the same error:
[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)
This happens because, no matter the onWhitelistRoundTripper that we use, it is a ssrf.Safe where we don't allow the 100.64.0.0/10 IP range.
Reproducing the bug
Can be reproduced in the test suite quite easily, by creating a new test case like we have in httpx/resilient_client_test.go.
Relevant log output
No response
Relevant configuration
No response
Version
v0.0.649
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
I'll try to submit a patch in the coming days/weeks.
The text was updated successfully, but these errors were encountered:
Preflight checklist
Ory Network Project
No response
Describe the bug
When creating a
ResilientClient
that is allowed calling internal IPs, some internal IP ranges are still blocked.TL;DR:
The IP range 100.64.0.0/10 is blocked by the
ResilientClient
, even if we allow internal IPs or if we whitelist this specific IP.Thus, there is no way to pass it.
Expected behaviour:
should work, but instead we get an error:
❌
This comes back to this range that is defined here: https://github.com/daenney/ssrf/blob/main/ssrf_gen.go#L38
We should only get this error when we do:
Additionally, the
ResilientClientAllowInternalIPRequestsTo
option will not work as expected for these ranges.Example:
should work, but instead we get the same error:
This happens because, no matter the
onWhitelist
RoundTripper that we use, it is a ssrf.Safe where we don't allow the 100.64.0.0/10 IP range.Reproducing the bug
Can be reproduced in the test suite quite easily, by creating a new test case like we have in
httpx/resilient_client_test.go
.Relevant log output
No response
Relevant configuration
No response
Version
v0.0.649
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
I'll try to submit a patch in the coming days/weeks.
The text was updated successfully, but these errors were encountered: