ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range. #805
Open
5 tasks done
Labels
bug
Something is not working.
Preflight checklist
Ory Network Project
No response
Describe the bug
When creating a
ResilientClient
that is allowed calling internal IPs, some internal IP ranges are still blocked.TL;DR:
The IP range 100.64.0.0/10 is blocked by the
ResilientClient
, even if we allow internal IPs or if we whitelist this specific IP.Thus, there is no way to pass it.
Expected behaviour:
should work, but instead we get an error:
❌
This comes back to this range that is defined here: https://github.com/daenney/ssrf/blob/main/ssrf_gen.go#L38
We should only get this error when we do:
Additionally, the
ResilientClientAllowInternalIPRequestsTo
option will not work as expected for these ranges.Example:
should work, but instead we get the same error:
This happens because, no matter the
onWhitelist
RoundTripper that we use, it is a ssrf.Safe where we don't allow the 100.64.0.0/10 IP range.Reproducing the bug
Can be reproduced in the test suite quite easily, by creating a new test case like we have in
httpx/resilient_client_test.go
.Relevant log output
No response
Relevant configuration
No response
Version
v0.0.649
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
I'll try to submit a patch in the coming days/weeks.
The text was updated successfully, but these errors were encountered: