ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range.

[David-Wobrock]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When creating a ResilientClient that is allowed calling internal IPs, some internal IP ranges are still blocked.

TL;DR:

The IP range 100.64.0.0/10 is blocked by the ResilientClient, even if we allow internal IPs or if we whitelist this specific IP.
Thus, there is no way to pass it.

---

Expected behaviour:

c := NewResilientClient()
c.Get("http://100.64.1.1:80/route")

should work, but instead we get an error:

[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)

❌
This comes back to this range that is defined here: https://github.com/daenney/ssrf/blob/main/ssrf_gen.go#L38

We should only get this error when we do:

c := NewResilientClient(
  ResilientClientDisallowInternalIPs(),
)
c.Get("http://100.64.1.1:80/route")

---

Additionally, the ResilientClientAllowInternalIPRequestsTo option will not work as expected for these ranges.
Example:

c := NewResilientClient(
	ResilientClientDisallowInternalIPs(),
	ResilientClientAllowInternalIPRequestsTo("http://100.64.1.1:80/route"),
)
c.Get("http://100.64.1.1:80/route")

should work, but instead we get the same error:

[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)

This happens because, no matter the onWhitelist RoundTripper that we use, it is a ssrf.Safe where we don't allow the 100.64.0.0/10 IP range.

Reproducing the bug

Can be reproduced in the test suite quite easily, by creating a new test case like we have in httpx/resilient_client_test.go.

Relevant log output

No response

Relevant configuration

No response

Version

v0.0.649

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

I'll try to submit a patch in the coming days/weeks.

[Jasperhino]

Any updates or workarround for this?

[David-Wobrock]

Any updates or workarround for this?

Hey @Jasperhino
There are some discussions around this issue on the related PR: #806

The tendency is rather towards adding a new allowlist of CIDR ranges.

[amorey]

@Jasperhino I just ran into this issue and it took me a few hours to debug it. If you need a short term fix, you can use a local tcp tunnel to get around the IP range issue. Looking forward to seeing @David-Wobrock's PR get merged.