-
-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow calling internal IP range 100.64.0.0/10 with relevant ResilientClient options #806
base: master
Are you sure you want to change the base?
fix: allow calling internal IP range 100.64.0.0/10 with relevant ResilientClient options #806
Conversation
0ca4115
to
e39baf3
Compare
978dabb
to
f5b7cd2
Compare
Thanks for the review @alnr 🙏 I pushed some edits around the suggestion about the tests. Let me know what you think :) |
f5b7cd2
to
0b46d7d
Compare
Thank you for the PR - I just want to note that we have pretty strict security requirements in our internal systems, and generally do not allow merging a weakening of those guarantees. Whatever ends up in the final code must deny/allow the same IP ranges as before. |
Thanks for the details, however I am unsure how to interpret them 🤔 Would you consider adding
By default, we would deny the same IP ranges (the ones in ssrf), however we would allow adding an exception for 100.64.0.0/10 IPs (which can never be called today). |
0b46d7d
to
13f1993
Compare
13f1993
to
f949dbf
Compare
f949dbf
to
5eaf97d
Compare
5eaf97d
to
66d6f05
Compare
66d6f05
to
57a2754
Compare
The `ResilientClient` options `ResilientClientDisallowInternalIPs` and `ResilientClientAllowInternalIPRequestsTo` were not allowing to call the IP range, like 100.64.0.0/10, properly. Some IP ranges are still not possible to bypass.
57a2754
to
1750395
Compare
The
ResilientClient
optionsResilientClientDisallowInternalIPs
andResilientClientAllowInternalIPRequestsTo
were not allowing to call certain IP ranges, like 100.64.0.0/10 properly.Related Issue or Design Document
Fixes: #805
And relates to Kratos issue: ory/kratos#4049
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
Further comments