[feature] enable + document explicit IP dialer allowing/denying (#1950)

* [feature] enable + document explicit IP dialer allowing/denying * lord have mercy * allee jonge * shortcut check ipv6 prefixes * comment * separate httpclient_test, export Sanitizer
2025-10-29 04:22:24 -05:00 · 2023-07-07 16:17:39 +02:00 · 2023-07-07 16:17:39 +02:00 · 2a99df0588
commit 2a99df0588
parent ac564c1862
17 changed files with 554 additions and 200 deletions
--- a/internal/httpclient/client.go
+++ b/internal/httpclient/client.go
@ -130,9 +130,9 @@ func New(cfg Config) *Client {
 	}

 	// Protect dialer with IP range sanitizer.
-	d.Control = (&sanitizer{
-		allow: cfg.AllowRanges,
-		block: cfg.BlockRanges,
+	d.Control = (&Sanitizer{
+		Allow: cfg.AllowRanges,
+		Block: cfg.BlockRanges,
 	}).Sanitize

 	// Prepare client fields.
--- a/internal/httpclient/sanitizer.go
+++ b/internal/httpclient/sanitizer.go
@ -20,48 +20,126 @@ package httpclient
 import (
 	"net/netip"
 	"syscall"
-
-	"github.com/superseriousbusiness/gotosocial/internal/netutil"
 )

-type sanitizer struct {
-	allow []netip.Prefix
-	block []netip.Prefix
+var (
+	// ipv6GlobalUnicast is the prefix set aside by IANA for global unicast assignments, i.e "the internet".
+	// https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
+	ipv6GlobalUnicast = netip.MustParsePrefix("2000::/3")
+
+	// ipv6Reserved contains IPv6 reserved IP prefixes that fall within ipv6GlobalUnicast.
+	// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+	ipv6Reserved = [...]netip.Prefix{
+		netip.MustParsePrefix("2001::/23"),         // IETF Protocol Assignments (RFC 2928)
+		netip.MustParsePrefix("2001:db8::/32"),     // Documentation (RFC 3849)
+		netip.MustParsePrefix("2002::/16"),         // 6to4 (RFC 3056)
+		netip.MustParsePrefix("2620:4f:8000::/48"), // Direct Delegation AS112 Service (RFC 7534)
+	}
+
+	// ipv4Reserved contains IPv4 reserved IP prefixes.
+	// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+	ipv4Reserved = [...]netip.Prefix{
+		netip.MustParsePrefix("0.0.0.0/8"),       // Current network
+		netip.MustParsePrefix("10.0.0.0/8"),      // Private
+		netip.MustParsePrefix("100.64.0.0/10"),   // RFC6598
+		netip.MustParsePrefix("127.0.0.0/8"),     // Loopback
+		netip.MustParsePrefix("169.254.0.0/16"),  // Link-local
+		netip.MustParsePrefix("172.16.0.0/12"),   // Private
+		netip.MustParsePrefix("192.0.0.0/24"),    // RFC6890
+		netip.MustParsePrefix("192.0.2.0/24"),    // Test, doc, examples
+		netip.MustParsePrefix("192.31.196.0/24"), // AS112-v4, RFC 7535
+		netip.MustParsePrefix("192.52.193.0/24"), // AMT, RFC 7450
+		netip.MustParsePrefix("192.88.99.0/24"),  // IPv6 to IPv4 relay
+		netip.MustParsePrefix("192.168.0.0/16"),  // Private
+		netip.MustParsePrefix("192.175.48.0/24"), // Direct Delegation AS112 Service, RFC 7534
+		netip.MustParsePrefix("198.18.0.0/15"),   // Benchmarking tests
+		netip.MustParsePrefix("198.51.100.0/24"), // Test, doc, examples
+		netip.MustParsePrefix("203.0.113.0/24"),  // Test, doc, examples
+		netip.MustParsePrefix("224.0.0.0/4"),     // Multicast
+		netip.MustParsePrefix("240.0.0.0/4"),     // Reserved (includes broadcast / 255.255.255.255)
+	}
+)
+
+type Sanitizer struct {
+	Allow []netip.Prefix
+	Block []netip.Prefix
 }

 // Sanitize implements the required net.Dialer.Control function signature.
-func (s *sanitizer) Sanitize(ntwrk, addr string, _ syscall.RawConn) error {
+func (s *Sanitizer) Sanitize(ntwrk, addr string, _ syscall.RawConn) error {
 	// Parse IP+port from addr
 	ipport, err := netip.ParseAddrPort(addr)
 	if err != nil {
 		return err
 	}

-	if !(ntwrk == "tcp4" || ntwrk == "tcp6") {
+	// Ensure valid network.
+	const (
+		tcp4 = "tcp4"
+		tcp6 = "tcp6"
+	)
+
+	if !(ntwrk == tcp4 || ntwrk == tcp6) {
 		return ErrInvalidNetwork
 	}

-	// Seperate the IP
+	// Separate the IP.
 	ip := ipport.Addr()

-	// Check if this is explicitly allowed
-	for i := 0; i < len(s.allow); i++ {
-		if s.allow[i].Contains(ip) {
+	// Check if this IP is explicitly allowed.
+	for i := 0; i < len(s.Allow); i++ {
+		if s.Allow[i].Contains(ip) {
 			return nil
 		}
 	}

-	// Now check if explicity blocked
-	for i := 0; i < len(s.block); i++ {
-		if s.block[i].Contains(ip) {
+	// Check if this IP is explicitly blocked.
+	for i := 0; i < len(s.Block); i++ {
+		if s.Block[i].Contains(ip) {
 			return ErrReservedAddr
 		}
 	}

-	// Validate this is a safe IP
-	if !netutil.ValidateIP(ip) {
+	// Validate this is a safe IP.
+	if !SafeIP(ip) {
 		return ErrReservedAddr
 	}

 	return nil
 }
+
+// SafeIP returns whether ip is an IPv4/6
+// address in a non-reserved, public range.
+func SafeIP(ip netip.Addr) bool {
+	switch {
+	// IPv4: check if IPv4 in reserved nets
+	case ip.Is4():
+		for _, reserved := range ipv4Reserved {
+			if reserved.Contains(ip) {
+				return false
+			}
+		}
+		return true
+
+	// IPv6: check if IP in IPv6 reserved nets
+	case ip.Is6():
+		if !ipv6GlobalUnicast.Contains(ip) {
+			// Address is not globally routeable,
+			// ie., not "on the internet".
+			return false
+		}
+
+		for _, reserved := range ipv6Reserved {
+			if reserved.Contains(ip) {
+				// Address is globally routeable
+				// but falls in a reserved range.
+				return false
+			}
+		}
+		return true
+
+	// Assume malicious by default
+	default:
+		return false
+	}
+}
--- a/internal/httpclient/sanitizer_test.go
+++ b/internal/httpclient/sanitizer_test.go
@ -0,0 +1,154 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package httpclient_test
+
+import (
+	"errors"
+	"net/netip"
+	"testing"
+
+	"github.com/superseriousbusiness/gotosocial/internal/httpclient"
+)
+
+func TestSafeIP(t *testing.T) {
+	tests := []struct {
+		name string
+		ip   netip.Addr
+	}{
+		// IPv4 tests
+		{
+			name: "IPv4 this host on this network",
+			ip:   netip.MustParseAddr("0.0.0.0"),
+		},
+		{
+			name: "IPv4 dummy address",
+			ip:   netip.MustParseAddr("192.0.0.8"),
+		},
+		{
+			name: "IPv4 Port Control Protocol Anycast",
+			ip:   netip.MustParseAddr("192.0.0.9"),
+		},
+		{
+			name: "IPv4 Traversal Using Relays around NAT Anycast",
+			ip:   netip.MustParseAddr("192.0.0.10"),
+		},
+		{
+			name: "IPv4 NAT64/DNS64 Discovery 1",
+			ip:   netip.MustParseAddr("192.0.0.17"),
+		},
+		{
+			name: "IPv4 NAT64/DNS64 Discovery 2",
+			ip:   netip.MustParseAddr("192.0.0.171"),
+		},
+		// IPv6 tests
+		{
+			name: "IPv4-mapped address",
+			ip:   netip.MustParseAddr("::ffff:169.254.169.254"),
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if safe := httpclient.SafeIP(tc.ip); safe {
+				t.Fatalf("Expected IP %s to not safe (%t), got: %t", tc.ip, false, safe)
+			}
+		})
+	}
+}
+
+func TestSanitizer(t *testing.T) {
+	s := httpclient.Sanitizer{
+		Allow: []netip.Prefix{
+			netip.MustParsePrefix("192.0.0.8/32"),
+			netip.MustParsePrefix("::ffff:169.254.169.254/128"),
+		},
+		Block: []netip.Prefix{
+			netip.MustParsePrefix("93.184.216.34/32"), // example.org
+		},
+	}
+
+	tests := []struct {
+		name     string
+		ntwrk    string
+		addr     string
+		expected error
+	}{
+		// IPv4 tests
+		{
+			name:     "IPv4 this host on this network",
+			ntwrk:    "tcp4",
+			addr:     "0.0.0.0:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 dummy address",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.8:80",
+			expected: nil, // We allowed this explicitly.
+		},
+		{
+			name:     "IPv4 Port Control Protocol Anycast",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.9:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 Traversal Using Relays around NAT Anycast",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.10:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 NAT64/DNS64 Discovery 1",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.17:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 NAT64/DNS64 Discovery 2",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.171:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "example.org",
+			ntwrk:    "tcp4",
+			addr:     "93.184.216.34:80",
+			expected: httpclient.ErrReservedAddr, // We blocked this explicitly.
+		},
+		// IPv6 tests
+		{
+			name:     "IPv4-mapped address",
+			ntwrk:    "tcp6",
+			addr:     "[::ffff:169.254.169.254]:80",
+			expected: nil, // We allowed this explicitly.
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if err := s.Sanitize(tc.ntwrk, tc.addr, nil); !errors.Is(err, tc.expected) {
+				t.Fatalf("Expected error %q for addr %s, got: %q", tc.expected, tc.addr, err)
+			}
+		})
+	}
+}