akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 8 Packages Projects Releases Wiki Activity

fix: ensure cloud metadata SSRF error is consistent for IPv4-mapped addresses

Browse Source
This commit is contained in:
GitHub Actions
2026-03-18 17:23:53 +00:00
parent fcc9309f2e
commit 3099d74b28
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/security/url_validator.go
+5
View File
@@ -294,6 +294,11 @@ func ValidateExternalURL(rawURL string, options ...ValidationOption) (string, er
continue
}
if network.IsPrivateIP(ipv4) {
// Cloud metadata endpoint must produce the specific error even
// when the address arrives as an IPv4-mapped IPv6 value.
if ipv4.String() == "169.254.169.254" {
return "", fmt.Errorf("access to cloud metadata endpoints is blocked for security (detected: %s)", sanitizeIPForError(ipv4.String()))
}
return "", fmt.Errorf("connection to private ip addresses is blocked for security (detected IPv4-mapped IPv6: %s)", ip.String())
}
}