fix: properly handle urls in saferoundtripper (#267)

cbosss · web-flow · commit 84e50aba48d3 · 2021-11-17T12:04:12.000+01:00
* debug logging

* tdd: added test case for failure behavior

* now attempting to resolve url
diff --git a/http/http.go b/http/http.go
@@ -29,17 +29,19 @@ func init() {
 	}
 }
 
-func blocksContain(blocks []*net.IPNet, ip net.IP) bool {
+func blocksContainsAny(blocks []*net.IPNet, ips []net.IP) bool {
 	for _, block := range blocks {
-		if block.Contains(ip) {
-			return true
+		for _, ip := range ips {
+			if block.Contains(ip) {
+				return true
+			}
 		}
 	}
 	return false
 }
 
-func isPrivateIP(ip net.IP) bool {
-	return blocksContain(privateIPBlocks, ip)
+func containsPrivateIP(ips []net.IP) bool {
+	return blocksContainsAny(privateIPBlocks, ips)
 }
 
 type noLocalTransport struct {
@@ -59,18 +61,19 @@ func (no noLocalTransport) RoundTrip(req *http.Request) (*http.Response, error)
 				no.errlog.WithError(err).Error("Cancelled request due to error in address parsing")
 				return
 			}
-			ip := net.ParseIP(host)
-			if ip == nil {
+
+			ips, err := net.LookupIP(host)
+			if err != nil || len(ips) == 0 {
 				cancel()
-				no.errlog.WithError(err).Error("Cancelled request due to error in ip parsing")
+				no.errlog.WithError(err).Error("Cancelled request due to error in host lookup")
 				return
 			}
 
-			if blocksContain(no.allowedBlocks, ip) {
+			if blocksContainsAny(no.allowedBlocks, ips) {
 				return
 			}
 
-			if isPrivateIP(ip) {
+			if containsPrivateIP(ips) {
 				cancel()
 				no.errlog.Error("Cancelled attempted request to ip in private range")
 				return
diff --git a/http/http_test.go b/http/http_test.go
@@ -27,7 +27,10 @@ func TestIsPrivateIP(t *testing.T) {
 
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		assert.Equal(t, tt.expected, isPrivateIP(ip))
+		if ip == nil {
+			require.Fail(t, "failed to parse IP")
+		}
+		assert.Equal(t, tt.expected, containsPrivateIP([]net.IP{ip}))
 	}
 }
 
@@ -43,6 +46,10 @@ func TestSafeHTTPClient(t *testing.T) {
 
 	client := SafeHTTPClient(&http.Client{}, logrus.New())
 
+	// It allows accessing non-local addresses
+	_, err = client.Get("https://google.com")
+	require.Nil(t, err)
+
 	// It blocks the local IP.
 	_, err = client.Get(ts.URL)
 	require.NotNil(t, err)

Original file line number	Diff line number	Diff line change
`@@ -29,17 +29,19 @@ func init() {`
`29`	`29`	`}`
`30`	`30`	`}`
`31`	`31`
`32`		`-func blocksContain(blocks []*net.IPNet, ip net.IP) bool {`
	`32`	`+func blocksContainsAny(blocks []*net.IPNet, ips []net.IP) bool {`
`33`	`33`	`for _, block := range blocks {`
`34`		`- if block.Contains(ip) {`
`35`		`- return true`
	`34`	`+ for _, ip := range ips {`
	`35`	`+ if block.Contains(ip) {`
	`36`	`+ return true`
	`37`	`+ }`
`36`	`38`	`}`
`37`	`39`	`}`
`38`	`40`	`return false`
`39`	`41`	`}`
`40`	`42`
`41`		`-func isPrivateIP(ip net.IP) bool {`
`42`		`- return blocksContain(privateIPBlocks, ip)`
	`43`	`+func containsPrivateIP(ips []net.IP) bool {`
	`44`	`+ return blocksContainsAny(privateIPBlocks, ips)`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	`type noLocalTransport struct {`
`@@ -59,18 +61,19 @@ func (no noLocalTransport) RoundTrip(req http.Request) (http.Response, error)`
`59`	`61`	`no.errlog.WithError(err).Error("Cancelled request due to error in address parsing")`
`60`	`62`	`return`
`61`	`63`	`}`
`62`		`- ip := net.ParseIP(host)`
`63`		`- if ip == nil {`
	`64`	`+`
	`65`	`+ ips, err := net.LookupIP(host)`
	`66`	`+ if err != nil \|\| len(ips) == 0 {`
`64`	`67`	`cancel()`
`65`		`- no.errlog.WithError(err).Error("Cancelled request due to error in ip parsing")`
	`68`	`+ no.errlog.WithError(err).Error("Cancelled request due to error in host lookup")`
`66`	`69`	`return`
`67`	`70`	`}`
`68`	`71`
`69`		`- if blocksContain(no.allowedBlocks, ip) {`
	`72`	`+ if blocksContainsAny(no.allowedBlocks, ips) {`
`70`	`73`	`return`
`71`	`74`	`}`
`72`	`75`
`73`		`- if isPrivateIP(ip) {`
	`76`	`+ if containsPrivateIP(ips) {`
`74`	`77`	`cancel()`
`75`	`78`	`no.errlog.Error("Cancelled attempted request to ip in private range")`
`76`	`79`	`return`