diff options
| author |  Daniele Sluijters <daenney@users.noreply.github.com> | 2022-11-26 12:09:55 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2022-11-26 11:09:55 +0000 |
| commit | 746f3fa4e65ac2806955a4be8e969dd8a2636ccf (patch) | |
| tree | c69b69139eb697a1d94349f741e57a24e7049835 /internal/httpclient/sanitizer.go | |
| parent | [bugfix]: Fix IPv6 validation (#1150) (diff) | |
| download | gotosocial-746f3fa4e65ac2806955a4be8e969dd8a2636ccf.tar.xz | |
Additional IP range validations (#1152)
* [bugfix] Ensure requests happen over TCP
It's possible for the network to be udp4 or udp6. This is rather
unlikely to occur, but since we're given the network anyway as part of
the Sanitize function getting called we might as well check for it.
* [chore] Align reserved v6 blocks to IANA registry
* [chore] Add test for ValidateIP
The net and netip packages diverge in that net.ParseIP will consider an
IPv4-mapped address to be an IPv4 address and as such it would get
caught by the IPv4Reserved list. However, netip considers it an IPv6
address, so we need to ensure the mapped range is in IPv6Reserved.
* [chore] Align reserved v4 blocks to IANA registry
This includes a number of tests for /32's explicitly called out in the
registry to ensure we always consider those invalid.
Diffstat (limited to 'internal/httpclient/sanitizer.go')
| -rw-r--r-- | internal/httpclient/sanitizer.go | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/internal/httpclient/sanitizer.go b/internal/httpclient/sanitizer.go index 6eef6898a..75c0b34b9 100644 --- a/internal/httpclient/sanitizer.go +++ b/internal/httpclient/sanitizer.go @@ -38,6 +38,10 @@ func (s *sanitizer) Sanitize(ntwrk, addr string, _ syscall.RawConn) error { return err } + if !(ntwrk == "tcp4" || ntwrk == "tcp6") { + return ErrInvalidNetwork + } + // Seperate the IP ip := ipport.Addr() |