-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'chore/improve-http-redirects' into release/0.8.0
- Loading branch information
Showing
12 changed files
with
242 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
package adapters | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"net" | ||
"time" | ||
) | ||
|
||
var privateIPBlocks []*net.IPNet | ||
|
||
func init() { | ||
for _, cidr := range []string{ | ||
"127.0.0.0/8", // IPv4 loopback | ||
"10.0.0.0/8", // RFC1918 | ||
"172.16.0.0/12", // RFC1918 | ||
"192.168.0.0/16", // RFC1918 | ||
"169.254.0.0/16", // RFC3927 link-local | ||
"::1/128", // IPv6 loopback | ||
"fe80::/10", // IPv6 link-local | ||
"fc00::/7", // IPv6 unique local addr | ||
} { | ||
_, block, err := net.ParseCIDR(cidr) | ||
if err != nil { | ||
panic(fmt.Errorf("parse error on %q: %v", cidr, err)) | ||
} | ||
privateIPBlocks = append(privateIPBlocks, block) | ||
} | ||
} | ||
|
||
func isRestrictedIP(ip net.IP) bool { | ||
if !ip.IsGlobalUnicast() || | ||
ip.IsLoopback() || | ||
ip.IsLinkLocalUnicast() || | ||
ip.IsLinkLocalMulticast() || | ||
ip.IsInterfaceLocalMulticast() || | ||
ip.IsUnspecified() || | ||
ip.Equal(net.IPv4bcast) || | ||
ip.Equal(net.IPv4allsys) || | ||
ip.Equal(net.IPv4allrouter) || | ||
ip.Equal(net.IPv4zero) || | ||
ip.IsMulticast() { | ||
return true | ||
} | ||
|
||
for _, block := range privateIPBlocks { | ||
if block.Contains(ip) { | ||
return true | ||
} | ||
} | ||
return false | ||
} | ||
|
||
// restrictedDialContext wraps the Dialer such that after successful connection, | ||
// we check the IP. | ||
// If the resolved IP is restricted, close the connection and return an error. | ||
func restrictedDialContext(ctx context.Context, network, address string) (net.Conn, error) { | ||
con, err := (&net.Dialer{ | ||
// Defaults from GoLang standard http package | ||
// https://golang.org/pkg/net/http/#RoundTripper | ||
Timeout: 30 * time.Second, | ||
KeepAlive: 30 * time.Second, | ||
DualStack: true, | ||
}).DialContext(ctx, network, address) | ||
if err == nil { | ||
// If a connection could be established, ensure its not local or private | ||
a, _ := con.RemoteAddr().(*net.TCPAddr) | ||
|
||
if isRestrictedIP(a.IP) { | ||
defer con.Close() | ||
return nil, fmt.Errorf("disallowed IP %s. Connections to local/private and multicast networks are disabled by default for security reasons. If you really want to allow this, consider using the httpgetwithunrestrictednetworkaccess or httppostwithunrestrictednetworkaccess adapter instead", a.IP.String()) | ||
} | ||
} | ||
return con, err | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package adapters | ||
|
||
import ( | ||
"github.com/stretchr/testify/assert" | ||
"net" | ||
"testing" | ||
) | ||
|
||
func TestHttpAllowedIPS_isRestrictedIP(t *testing.T) { | ||
t.Parallel() | ||
|
||
tests := []struct { | ||
ip net.IP | ||
isRestricted bool | ||
}{ | ||
{net.ParseIP("1.1.1.1"), false}, | ||
{net.ParseIP("216.239.32.10"), false}, | ||
{net.ParseIP("2001:4860:4860::8888"), false}, | ||
{net.ParseIP("127.0.0.1"), true}, | ||
{net.ParseIP("255.255.255.255"), true}, | ||
{net.ParseIP("224.0.0.1"), true}, | ||
{net.ParseIP("224.0.0.2"), true}, | ||
{net.ParseIP("224.1.1.1"), true}, | ||
{net.ParseIP("0.0.0.0"), true}, | ||
{net.ParseIP("192.168.0.1"), true}, | ||
{net.ParseIP("192.168.1.255"), true}, | ||
{net.ParseIP("255.255.255.255"), true}, | ||
{net.ParseIP("10.0.0.1"), true}, | ||
{net.ParseIP("::1"), true}, | ||
{net.ParseIP("fd57:03f9:9ef5:8a81::1"), true}, | ||
{net.ParseIP("FD00::1"), true}, | ||
{net.ParseIP("FF02::1"), true}, | ||
{net.ParseIP("FE80:0000:0000:0000:abcd:abcd:abcd:abcd"), true}, | ||
{net.IP{0xff, 0x01, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01}, true}, | ||
{net.IP{0xff, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01}, true}, | ||
{net.IP{0xff, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x02}, true}, | ||
} | ||
|
||
for _, test := range tests { | ||
t.Run(test.ip.String(), func(t *testing.T) { | ||
assert.Equal(t, test.isRestricted, isRestrictedIP(test.ip)) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.