Also block the CGNAT range (100.64.0.0/10)

2024-06-26 07:03:22 +00:00 · 2023-07-08 09:27:09 +01:00 · 2023-07-08 09:27:09 +01:00 · 8914b78816
commit 8914b78816
parent 9ea7f45fa7
2 changed files with 26 additions and 1 deletions
--- a/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java
+++ b/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java
@ -6,6 +6,7 @@

 import com.google.common.net.InetAddresses;

+import java.net.Inet4Address;
 import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@ -113,7 +114,6 @@ final class PrivatePattern implements AddressPredicate {

        private static final Set<InetAddress> additionalAddresses = Arrays.stream(new String[]{
            // Block various cloud providers internal IPs.
-            "100.100.100.200", // Alibaba
            "192.0.0.192", // Oracle
        }).map(InetAddresses::forString).collect(Collectors.toUnmodifiableSet());

@ -126,6 +126,7 @@ public boolean matches(InetAddress socketAddress) {
                || socketAddress.isSiteLocalAddress()  // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fec0::/10
                || socketAddress.isMulticastAddress()  // 224.0.0.0/4, ff00::/8
                || isUniqueLocalAddress(socketAddress) // fd00::/8
+                || isCarrierGradeNatAddress(socketAddress) // 100.64.0.0/10
                || additionalAddresses.contains(socketAddress);
        }

@ -141,6 +142,19 @@ private boolean isUniqueLocalAddress(InetAddress address) {
            // defined right now, so let's be conservative.
            return address instanceof Inet6Address && (address.getAddress()[0] & 0xff) == 0xfd;
        }
+
+        /**
+         * Determine if an IP address lives within the CGNAT address range (100.64.0.0/10).
+         *
+         * @param address The IP address to test.
+         * @return Whether this address sits in the CGNAT address range.
+         * @see <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT">Carrier-grade NAT on Wikipedia</a>
+         */
+        private boolean isCarrierGradeNatAddress(InetAddress address) {
+            if (!(address instanceof Inet4Address)) return false;
+            var bytes = address.getAddress();
+            return bytes[0] == 100 && ((bytes[1] & 0xFF) >= 64 && (bytes[1] & 0xFF) <= 127);
+        }
    }

 }
--- a/projects/core/src/test/java/dan200/computercraft/core/apis/http/options/AddressRuleTest.java
+++ b/projects/core/src/test/java/dan200/computercraft/core/apis/http/options/AddressRuleTest.java
@ -34,6 +34,8 @@ public void matchesPort() {
        "172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1",
        // Multicast
        "224.0.0.1", "ff02::1",
+        // CGNAT
+        "100.64.0.0", "100.127.255.255",
        // Cloud metadata providers
        "100.100.100.200", // Alibaba
        "192.0.0.192", // Oracle
@ -44,6 +46,15 @@ public void blocksLocalDomains(String domain) {
        assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
    }

+    @ParameterizedTest
+    @ValueSource(strings = {
+        // Ensure either side of the CGNAT range is allowed.
+        "100.63.255.255", "100.128.0.0"
+    })
+    public void allowsNonLocalDomains(String domain) {
+        assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.ALLOW);
+    }
+
    private Options apply(Iterable<AddressRule> rules, String host, int port) {
        return AddressRule.apply(rules, host, new InetSocketAddress(host, port));
    }