Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range. #805

Open
5 tasks done
David-Wobrock opened this issue Aug 21, 2024 · 0 comments · May be fixed by #806
Open
5 tasks done

ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range. #805

David-Wobrock opened this issue Aug 21, 2024 · 0 comments · May be fixed by #806
Labels
bug Something is not working.

Comments

@David-Wobrock
Copy link

Preflight checklist

Ory Network Project

No response

Describe the bug

When creating a ResilientClient that is allowed calling internal IPs, some internal IP ranges are still blocked.

TL;DR:

The IP range 100.64.0.0/10 is blocked by the ResilientClient, even if we allow internal IPs or if we whitelist this specific IP.
Thus, there is no way to pass it.


Expected behaviour:

c := NewResilientClient()
c.Get("http://100.64.1.1:80/route")

should work, but instead we get an error:

[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)


This comes back to this range that is defined here: https://github.com/daenney/ssrf/blob/main/ssrf_gen.go#L38

We should only get this error when we do:

c := NewResilientClient(
  ResilientClientDisallowInternalIPs(),
)
c.Get("http://100.64.1.1:80/route")

Additionally, the ResilientClientAllowInternalIPRequestsTo option will not work as expected for these ranges.
Example:

c := NewResilientClient(
	ResilientClientDisallowInternalIPs(),
	ResilientClientAllowInternalIPRequestsTo("http://100.64.1.1:80/route"),
)
c.Get("http://100.64.1.1:80/route")

should work, but instead we get the same error:

[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)

This happens because, no matter the onWhitelist RoundTripper that we use, it is a ssrf.Safe where we don't allow the 100.64.0.0/10 IP range.

Reproducing the bug

Can be reproduced in the test suite quite easily, by creating a new test case like we have in httpx/resilient_client_test.go.

Relevant log output

No response

Relevant configuration

No response

Version

v0.0.649

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

I'll try to submit a patch in the coming days/weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
1 participant