diff --git a/src/infra/net/ssrf.test.ts b/src/infra/net/ssrf.test.ts index f2097eedac4..4a41eafa15c 100644 --- a/src/infra/net/ssrf.test.ts +++ b/src/infra/net/ssrf.test.ts @@ -2,56 +2,53 @@ import { describe, expect, it } from "vitest"; import { normalizeFingerprint } from "../tls/fingerprint.js"; import { isPrivateIpAddress } from "./ssrf.js"; +const privateIpCases = [ + "::ffff:127.0.0.1", + "0:0:0:0:0:ffff:7f00:1", + "0000:0000:0000:0000:0000:ffff:7f00:0001", + "::127.0.0.1", + "0:0:0:0:0:0:7f00:1", + "[0:0:0:0:0:ffff:7f00:1]", + "::ffff:169.254.169.254", + "0:0:0:0:0:ffff:a9fe:a9fe", + "64:ff9b::127.0.0.1", + "64:ff9b::169.254.169.254", + "64:ff9b:1::192.168.1.1", + "64:ff9b:1::10.0.0.1", + "2002:7f00:0001::", + "2002:a9fe:a9fe::", + "2001:0000:0:0:0:0:80ff:fefe", + "2001:0000:0:0:0:0:3f57:fefe", + "::", + "::1", + "fe80::1%lo0", + "fd00::1", + "fec0::1", +]; + +const publicIpCases = [ + "93.184.216.34", + "2606:4700:4700::1111", + "2001:db8::1", + "64:ff9b::8.8.8.8", + "64:ff9b:1::8.8.8.8", + "2002:0808:0808::", + "2001:0000:0:0:0:0:f7f7:f7f7", +]; + +const malformedIpv6Cases = ["::::", "2001:db8::gggg"]; + describe("ssrf ip classification", () => { - it("treats IPv4-mapped and IPv4-compatible IPv6 loopback as private", () => { - expect(isPrivateIpAddress("::ffff:127.0.0.1")).toBe(true); - expect(isPrivateIpAddress("0:0:0:0:0:ffff:7f00:1")).toBe(true); - expect(isPrivateIpAddress("0000:0000:0000:0000:0000:ffff:7f00:0001")).toBe(true); - expect(isPrivateIpAddress("::127.0.0.1")).toBe(true); - expect(isPrivateIpAddress("0:0:0:0:0:0:7f00:1")).toBe(true); - expect(isPrivateIpAddress("[0:0:0:0:0:ffff:7f00:1]")).toBe(true); + it.each(privateIpCases)("classifies %s as private", (address) => { + expect(isPrivateIpAddress(address)).toBe(true); }); - it("treats IPv4-mapped metadata/link-local as private", () => { - expect(isPrivateIpAddress("::ffff:169.254.169.254")).toBe(true); - expect(isPrivateIpAddress("0:0:0:0:0:ffff:a9fe:a9fe")).toBe(true); + it.each(publicIpCases)("classifies %s as public", (address) => { + expect(isPrivateIpAddress(address)).toBe(false); }); - it("treats private IPv4 embedded in NAT64 prefixes as private", () => { - expect(isPrivateIpAddress("64:ff9b::127.0.0.1")).toBe(true); - expect(isPrivateIpAddress("64:ff9b::169.254.169.254")).toBe(true); - expect(isPrivateIpAddress("64:ff9b:1::192.168.1.1")).toBe(true); - expect(isPrivateIpAddress("64:ff9b:1::10.0.0.1")).toBe(true); - }); - - it("treats private IPv4 embedded in 6to4 and Teredo prefixes as private", () => { - expect(isPrivateIpAddress("2002:7f00:0001::")).toBe(true); - expect(isPrivateIpAddress("2002:a9fe:a9fe::")).toBe(true); - expect(isPrivateIpAddress("2001:0000:0:0:0:0:80ff:fefe")).toBe(true); - expect(isPrivateIpAddress("2001:0000:0:0:0:0:3f57:fefe")).toBe(true); - }); - - it("treats common IPv6 private/internal ranges as private", () => { - expect(isPrivateIpAddress("::")).toBe(true); - expect(isPrivateIpAddress("::1")).toBe(true); - expect(isPrivateIpAddress("fe80::1%lo0")).toBe(true); - expect(isPrivateIpAddress("fd00::1")).toBe(true); - expect(isPrivateIpAddress("fec0::1")).toBe(true); - }); - - it("does not classify public IPs as private", () => { - expect(isPrivateIpAddress("93.184.216.34")).toBe(false); - expect(isPrivateIpAddress("2606:4700:4700::1111")).toBe(false); - expect(isPrivateIpAddress("2001:db8::1")).toBe(false); - expect(isPrivateIpAddress("64:ff9b::8.8.8.8")).toBe(false); - expect(isPrivateIpAddress("64:ff9b:1::8.8.8.8")).toBe(false); - expect(isPrivateIpAddress("2002:0808:0808::")).toBe(false); - expect(isPrivateIpAddress("2001:0000:0:0:0:0:f7f7:f7f7")).toBe(false); - }); - - it("fails closed for malformed IPv6 input", () => { - expect(isPrivateIpAddress("::::")).toBe(true); - expect(isPrivateIpAddress("2001:db8::gggg")).toBe(true); + it.each(malformedIpv6Cases)("fails closed for malformed IPv6 %s", (address) => { + expect(isPrivateIpAddress(address)).toBe(true); }); }); diff --git a/src/infra/net/ssrf.ts b/src/infra/net/ssrf.ts index 0dfab0af90f..67d84b28476 100644 --- a/src/infra/net/ssrf.ts +++ b/src/infra/net/ssrf.ts @@ -142,58 +142,69 @@ function parseIpv6Hextets(address: string): number[] | null { return hextets; } +function decodeIpv4FromHextets(high: number, low: number): number[] { + return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; +} + +type EmbeddedIpv4Rule = { + matches: (hextets: number[]) => boolean; + extract: (hextets: number[]) => [high: number, low: number]; +}; + +const EMBEDDED_IPV4_RULES: EmbeddedIpv4Rule[] = [ + { + // IPv4-mapped: ::ffff:a.b.c.d and IPv4-compatible ::a.b.c.d. + matches: (hextets) => + hextets[0] === 0 && + hextets[1] === 0 && + hextets[2] === 0 && + hextets[3] === 0 && + hextets[4] === 0 && + (hextets[5] === 0xffff || hextets[5] === 0), + extract: (hextets) => [hextets[6], hextets[7]], + }, + { + // NAT64 well-known prefix: 64:ff9b::/96. + matches: (hextets) => + hextets[0] === 0x0064 && + hextets[1] === 0xff9b && + hextets[2] === 0 && + hextets[3] === 0 && + hextets[4] === 0 && + hextets[5] === 0, + extract: (hextets) => [hextets[6], hextets[7]], + }, + { + // NAT64 local-use prefix: 64:ff9b:1::/48. + matches: (hextets) => + hextets[0] === 0x0064 && + hextets[1] === 0xff9b && + hextets[2] === 0x0001 && + hextets[3] === 0 && + hextets[4] === 0 && + hextets[5] === 0, + extract: (hextets) => [hextets[6], hextets[7]], + }, + { + // 6to4 prefix: 2002::/16 where hextets[1..2] carry IPv4. + matches: (hextets) => hextets[0] === 0x2002, + extract: (hextets) => [hextets[1], hextets[2]], + }, + { + // Teredo prefix: 2001:0000::/32 with client IPv4 obfuscated via XOR 0xffff. + matches: (hextets) => hextets[0] === 0x2001 && hextets[1] === 0x0000, + extract: (hextets) => [hextets[6] ^ 0xffff, hextets[7] ^ 0xffff], + }, +]; + function extractIpv4FromEmbeddedIpv6(hextets: number[]): number[] | null { - // IPv4-mapped: ::ffff:a.b.c.d (and full-form variants) - // IPv4-compatible: ::a.b.c.d (deprecated, but still needs private-network blocking) - const zeroPrefix = hextets[0] === 0 && hextets[1] === 0 && hextets[2] === 0 && hextets[3] === 0; - if (zeroPrefix && hextets[4] === 0 && (hextets[5] === 0xffff || hextets[5] === 0)) { - const high = hextets[6]; - const low = hextets[7]; - return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; + for (const rule of EMBEDDED_IPV4_RULES) { + if (!rule.matches(hextets)) { + continue; + } + const [high, low] = rule.extract(hextets); + return decodeIpv4FromHextets(high, low); } - - // NAT64 well-known prefix: 64:ff9b::/96 - if ( - hextets[0] === 0x0064 && - hextets[1] === 0xff9b && - hextets[2] === 0 && - hextets[3] === 0 && - hextets[4] === 0 && - hextets[5] === 0 - ) { - const high = hextets[6]; - const low = hextets[7]; - return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; - } - - // NAT64 local-use prefix: 64:ff9b:1::/48 (common ::x.x.x.x form) - if ( - hextets[0] === 0x0064 && - hextets[1] === 0xff9b && - hextets[2] === 0x0001 && - hextets[3] === 0 && - hextets[4] === 0 && - hextets[5] === 0 - ) { - const high = hextets[6]; - const low = hextets[7]; - return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; - } - - // 6to4 prefix: 2002::/16 where hextets[1..2] carry the IPv4 address. - if (hextets[0] === 0x2002) { - const high = hextets[1]; - const low = hextets[2]; - return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; - } - - // Teredo prefix: 2001:0000::/32 where client IPv4 is obfuscated via XOR 0xffff. - if (hextets[0] === 0x2001 && hextets[1] === 0x0000) { - const high = hextets[6] ^ 0xffff; - const low = hextets[7] ^ 0xffff; - return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff]; - } - return null; }