mirror of
https://github.com/SquidDev-CC/CC-Tweaked
synced 2024-12-25 09:30:30 +00:00
Also block the CGNAT range (100.64.0.0/10)
This commit is contained in:
parent
9ea7f45fa7
commit
8914b78816
@ -6,6 +6,7 @@ package dan200.computercraft.core.apis.http.options;
|
||||
|
||||
import com.google.common.net.InetAddresses;
|
||||
|
||||
import java.net.Inet4Address;
|
||||
import java.net.Inet6Address;
|
||||
import java.net.InetAddress;
|
||||
import java.net.InetSocketAddress;
|
||||
@ -113,7 +114,6 @@ interface AddressPredicate {
|
||||
|
||||
private static final Set<InetAddress> additionalAddresses = Arrays.stream(new String[]{
|
||||
// Block various cloud providers internal IPs.
|
||||
"100.100.100.200", // Alibaba
|
||||
"192.0.0.192", // Oracle
|
||||
}).map(InetAddresses::forString).collect(Collectors.toUnmodifiableSet());
|
||||
|
||||
@ -126,6 +126,7 @@ interface AddressPredicate {
|
||||
|| socketAddress.isSiteLocalAddress() // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fec0::/10
|
||||
|| socketAddress.isMulticastAddress() // 224.0.0.0/4, ff00::/8
|
||||
|| isUniqueLocalAddress(socketAddress) // fd00::/8
|
||||
|| isCarrierGradeNatAddress(socketAddress) // 100.64.0.0/10
|
||||
|| additionalAddresses.contains(socketAddress);
|
||||
}
|
||||
|
||||
@ -141,6 +142,19 @@ interface AddressPredicate {
|
||||
// defined right now, so let's be conservative.
|
||||
return address instanceof Inet6Address && (address.getAddress()[0] & 0xff) == 0xfd;
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if an IP address lives within the CGNAT address range (100.64.0.0/10).
|
||||
*
|
||||
* @param address The IP address to test.
|
||||
* @return Whether this address sits in the CGNAT address range.
|
||||
* @see <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT">Carrier-grade NAT on Wikipedia</a>
|
||||
*/
|
||||
private boolean isCarrierGradeNatAddress(InetAddress address) {
|
||||
if (!(address instanceof Inet4Address)) return false;
|
||||
var bytes = address.getAddress();
|
||||
return bytes[0] == 100 && ((bytes[1] & 0xFF) >= 64 && (bytes[1] & 0xFF) <= 127);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -34,6 +34,8 @@ public class AddressRuleTest {
|
||||
"172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1",
|
||||
// Multicast
|
||||
"224.0.0.1", "ff02::1",
|
||||
// CGNAT
|
||||
"100.64.0.0", "100.127.255.255",
|
||||
// Cloud metadata providers
|
||||
"100.100.100.200", // Alibaba
|
||||
"192.0.0.192", // Oracle
|
||||
@ -44,6 +46,15 @@ public class AddressRuleTest {
|
||||
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
|
||||
}
|
||||
|
||||
@ParameterizedTest
|
||||
@ValueSource(strings = {
|
||||
// Ensure either side of the CGNAT range is allowed.
|
||||
"100.63.255.255", "100.128.0.0"
|
||||
})
|
||||
public void allowsNonLocalDomains(String domain) {
|
||||
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.ALLOW);
|
||||
}
|
||||
|
||||
private Options apply(Iterable<AddressRule> rules, String host, int port) {
|
||||
return AddressRule.apply(rules, host, new InetSocketAddress(host, port));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user