SECURITY: Consider 0.0.0.0 a private IP

This commit is contained in:
Robin Ward 2018-07-24 11:15:37 -04:00
parent 9fff53407c
commit 236243f38a
2 changed files with 6 additions and 0 deletions

View File

@ -293,6 +293,7 @@ class FinalDestination
def self.standard_private_ranges
@private_ranges ||= [
IPAddr.new('0.0.0.0/8'),
IPAddr.new('127.0.0.1'),
IPAddr.new('172.16.0.0/12'),
IPAddr.new('192.168.0.0/16'),

View File

@ -337,6 +337,11 @@ describe FinalDestination do
expect(fd("https://104.25.153.10").is_dest_valid?).to eq(true)
end
it "returns false for short ip" do
expect(FinalDestination.new('https://0/logo.png').is_dest_valid?).to eq(false)
expect(FinalDestination.new('https://1/logo.png').is_dest_valid?).to eq(false)
end
it "returns false for private ipv4" do
expect(fd("https://127.0.0.1").is_dest_valid?).to eq(false)
expect(fd("https://192.168.1.3").is_dest_valid?).to eq(false)