LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-03-08 06:54:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(net): table-drive embedded IPv6 decoding and SSRF tests

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-18 04:57:01 +01:00
parent 35016a380c
commit e8154c12e6
2 changed files with 103 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
src/infra/net/ssrf.test.ts
View File

@@ -2,56 +2,53 @@ import { describe, expect, it } from "vitest";
import { normalizeFingerprint } from "../tls/fingerprint.js";
import { isPrivateIpAddress } from "./ssrf.js";
const privateIpCases = [
"::ffff:127.0.0.1",
"0:0:0:0:0:ffff:7f00:1",
"0000:0000:0000:0000:0000:ffff:7f00:0001",
"::127.0.0.1",
"0:0:0:0:0:0:7f00:1",
"[0:0:0:0:0:ffff:7f00:1]",
"::ffff:169.254.169.254",
"0:0:0:0:0:ffff:a9fe:a9fe",
"64:ff9b::127.0.0.1",
"64:ff9b::169.254.169.254",
"64:ff9b:1::192.168.1.1",
"64:ff9b:1::10.0.0.1",
"2002:7f00:0001::",
"2002:a9fe:a9fe::",
"2001:0000:0:0:0:0:80ff:fefe",
"2001:0000:0:0:0:0:3f57:fefe",
"::",
"::1",
"fe80::1%lo0",
"fd00::1",
"fec0::1",
];
const publicIpCases = [
"93.184.216.34",
"2606:4700:4700::1111",
"2001:db8::1",
"64:ff9b::8.8.8.8",
"64:ff9b:1::8.8.8.8",
"2002:0808:0808::",
"2001:0000:0:0:0:0:f7f7:f7f7",
];
const malformedIpv6Cases = ["::::", "2001:db8::gggg"];
describe("ssrf ip classification", () => {
it("treats IPv4-mapped and IPv4-compatible IPv6 loopback as private", () => {
expect(isPrivateIpAddress("::ffff:127.0.0.1")).toBe(true);
expect(isPrivateIpAddress("0:0:0:0:0:ffff:7f00:1")).toBe(true);
expect(isPrivateIpAddress("0000:0000:0000:0000:0000:ffff:7f00:0001")).toBe(true);
expect(isPrivateIpAddress("::127.0.0.1")).toBe(true);
expect(isPrivateIpAddress("0:0:0:0:0:0:7f00:1")).toBe(true);
expect(isPrivateIpAddress("[0:0:0:0:0:ffff:7f00:1]")).toBe(true);
it.each(privateIpCases)("classifies %s as private", (address) => {
expect(isPrivateIpAddress(address)).toBe(true);
});
it("treats IPv4-mapped metadata/link-local as private", () => {
expect(isPrivateIpAddress("::ffff:169.254.169.254")).toBe(true);
expect(isPrivateIpAddress("0:0:0:0:0:ffff:a9fe:a9fe")).toBe(true);
it.each(publicIpCases)("classifies %s as public", (address) => {
expect(isPrivateIpAddress(address)).toBe(false);
});
it("treats private IPv4 embedded in NAT64 prefixes as private", () => {
expect(isPrivateIpAddress("64:ff9b::127.0.0.1")).toBe(true);
expect(isPrivateIpAddress("64:ff9b::169.254.169.254")).toBe(true);
expect(isPrivateIpAddress("64:ff9b:1::192.168.1.1")).toBe(true);
expect(isPrivateIpAddress("64:ff9b:1::10.0.0.1")).toBe(true);
});
it("treats private IPv4 embedded in 6to4 and Teredo prefixes as private", () => {
expect(isPrivateIpAddress("2002:7f00:0001::")).toBe(true);
expect(isPrivateIpAddress("2002:a9fe:a9fe::")).toBe(true);
expect(isPrivateIpAddress("2001:0000:0:0:0:0:80ff:fefe")).toBe(true);
expect(isPrivateIpAddress("2001:0000:0:0:0:0:3f57:fefe")).toBe(true);
});
it("treats common IPv6 private/internal ranges as private", () => {
expect(isPrivateIpAddress("::")).toBe(true);
expect(isPrivateIpAddress("::1")).toBe(true);
expect(isPrivateIpAddress("fe80::1%lo0")).toBe(true);
expect(isPrivateIpAddress("fd00::1")).toBe(true);
expect(isPrivateIpAddress("fec0::1")).toBe(true);
});
it("does not classify public IPs as private", () => {
expect(isPrivateIpAddress("93.184.216.34")).toBe(false);
expect(isPrivateIpAddress("2606:4700:4700::1111")).toBe(false);
expect(isPrivateIpAddress("2001:db8::1")).toBe(false);
expect(isPrivateIpAddress("64:ff9b::8.8.8.8")).toBe(false);
expect(isPrivateIpAddress("64:ff9b:1::8.8.8.8")).toBe(false);
expect(isPrivateIpAddress("2002:0808:0808::")).toBe(false);
expect(isPrivateIpAddress("2001:0000:0:0:0:0:f7f7:f7f7")).toBe(false);
});
it("fails closed for malformed IPv6 input", () => {
expect(isPrivateIpAddress("::::")).toBe(true);
expect(isPrivateIpAddress("2001:db8::gggg")).toBe(true);
it.each(malformedIpv6Cases)("fails closed for malformed IPv6 %s", (address) => {
expect(isPrivateIpAddress(address)).toBe(true);
});
});

111
src/infra/net/ssrf.ts
View File

@@ -142,58 +142,69 @@ function parseIpv6Hextets(address: string): number[] | null {
return hextets;
}
function decodeIpv4FromHextets(high: number, low: number): number[] {
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
type EmbeddedIpv4Rule = {
matches: (hextets: number[]) => boolean;
extract: (hextets: number[]) => [high: number, low: number];
};
const EMBEDDED_IPV4_RULES: EmbeddedIpv4Rule[] = [
{
// IPv4-mapped: ::ffff:a.b.c.d and IPv4-compatible ::a.b.c.d.
matches: (hextets) =>
hextets[0] === 0 &&
hextets[1] === 0 &&
hextets[2] === 0 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
(hextets[5] === 0xffff || hextets[5] === 0),
extract: (hextets) => [hextets[6], hextets[7]],
},
{
// NAT64 well-known prefix: 64:ff9b::/96.
matches: (hextets) =>
hextets[0] === 0x0064 &&
hextets[1] === 0xff9b &&
hextets[2] === 0 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
hextets[5] === 0,
extract: (hextets) => [hextets[6], hextets[7]],
},
{
// NAT64 local-use prefix: 64:ff9b:1::/48.
matches: (hextets) =>
hextets[0] === 0x0064 &&
hextets[1] === 0xff9b &&
hextets[2] === 0x0001 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
hextets[5] === 0,
extract: (hextets) => [hextets[6], hextets[7]],
},
{
// 6to4 prefix: 2002::/16 where hextets[1..2] carry IPv4.
matches: (hextets) => hextets[0] === 0x2002,
extract: (hextets) => [hextets[1], hextets[2]],
},
{
// Teredo prefix: 2001:0000::/32 with client IPv4 obfuscated via XOR 0xffff.
matches: (hextets) => hextets[0] === 0x2001 && hextets[1] === 0x0000,
extract: (hextets) => [hextets[6] ^ 0xffff, hextets[7] ^ 0xffff],
},
];
function extractIpv4FromEmbeddedIpv6(hextets: number[]): number[] | null {
// IPv4-mapped: ::ffff:a.b.c.d (and full-form variants)
// IPv4-compatible: ::a.b.c.d (deprecated, but still needs private-network blocking)
const zeroPrefix = hextets[0] === 0 && hextets[1] === 0 && hextets[2] === 0 && hextets[3] === 0;
if (zeroPrefix && hextets[4] === 0 && (hextets[5] === 0xffff || hextets[5] === 0)) {
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
for (const rule of EMBEDDED_IPV4_RULES) {
if (!rule.matches(hextets)) {
continue;
}
const [high, low] = rule.extract(hextets);
return decodeIpv4FromHextets(high, low);
}
// NAT64 well-known prefix: 64:ff9b::/96
if (
hextets[0] === 0x0064 &&
hextets[1] === 0xff9b &&
hextets[2] === 0 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
hextets[5] === 0
) {
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
// NAT64 local-use prefix: 64:ff9b:1::/48 (common ::x.x.x.x form)
if (
hextets[0] === 0x0064 &&
hextets[1] === 0xff9b &&
hextets[2] === 0x0001 &&
hextets[3] === 0 &&
hextets[4] === 0 &&
hextets[5] === 0
) {
const high = hextets[6];
const low = hextets[7];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
// 6to4 prefix: 2002::/16 where hextets[1..2] carry the IPv4 address.
if (hextets[0] === 0x2002) {
const high = hextets[1];
const low = hextets[2];
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
// Teredo prefix: 2001:0000::/32 where client IPv4 is obfuscated via XOR 0xffff.
if (hextets[0] === 0x2001 && hextets[1] === 0x0000) {
const high = hextets[6] ^ 0xffff;
const low = hextets[7] ^ 0xffff;
return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
}
return null;
}