Additional IP range validations (#1152)

* [bugfix] Ensure requests happen over TCP It's possible for the network to be udp4 or udp6. This is rather unlikely to occur, but since we're given the network anyway as part of the Sanitize function getting called we might as well check for it. * [chore] Align reserved v6 blocks to IANA registry * [chore] Add test for ValidateIP The net and netip packages diverge in that net.ParseIP will consider an IPv4-mapped address to be an IPv4 address and as such it would get caught by the IPv4Reserved list. However, netip considers it an IPv6 address, so we need to ensure the mapped range is in IPv6Reserved. * [chore] Align reserved v4 blocks to IANA registry This includes a number of tests for /32's explicitly called out in the registry to ensure we always consider those invalid.
2025-06-05 21:59:39 +02:00 · 2022-11-26 12:09:55 +01:00
parent e6cd81babc
commit 746f3fa4e6
4 changed files with 89 additions and 6 deletions
--- a/internal/httpclient/client.go
+++ b/internal/httpclient/client.go
@@ -36,6 +36,9 @@ import (
 // ErrInvalidRequest is returned if a given HTTP request is invalid and cannot be performed.
 var ErrInvalidRequest = errors.New("invalid http request")

+// ErrInvalidNetwork is returned if the request would not be performed over TCP
+var ErrInvalidNetwork = errors.New("invalid network type")
+
 // ErrReservedAddr is returned if a dialed address resolves to an IP within a blocked or reserved net.
 var ErrReservedAddr = errors.New("dial within blocked / reserved IP range")