util/netsafe/netsafe.go

package netsafe

import (
	"context"
	"fmt"
	"net"
	"regexp"
	"strings"
	"time"
)

func IsBlockedIP(ip net.IP) bool {
	return ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast() ||
		ip.IsLinkLocalMulticast() || ip.IsUnspecified()
}

type allowPrivateCtxKey struct{}

func ContextWithAllowPrivate(ctx context.Context, allow bool) context.Context {
	return context.WithValue(ctx, allowPrivateCtxKey{}, allow)
}

func AllowPrivateFromContext(ctx context.Context) bool {
	v, _ := ctx.Value(allowPrivateCtxKey{}).(bool)
	return v
}

var defaultDialer = &net.Dialer{Timeout: 10 * time.Second}

func SSRFGuardedDialContext(ctx context.Context, network, addr string) (net.Conn, error) {
	host, port, err := net.SplitHostPort(addr)
	if err != nil {
		return nil, err
	}
	allowPrivate := AllowPrivateFromContext(ctx)
	var ips []net.IPAddr
	if ip := net.ParseIP(host); ip != nil {
		ips = []net.IPAddr{{IP: ip}}
	} else {
		ips, err = net.DefaultResolver.LookupIPAddr(ctx, host)
		if err != nil {
			return nil, err
		}
	}
	var lastErr error
	for _, ipAddr := range ips {
		if !allowPrivate && IsBlockedIP(ipAddr.IP) {
			lastErr = fmt.Errorf("blocked private/internal address %s", ipAddr.IP)
			continue
		}
		conn, derr := defaultDialer.DialContext(ctx, network, net.JoinHostPort(ipAddr.IP.String(), port))
		if derr == nil {
			return conn, nil
		}
		lastErr = derr
	}
	if lastErr == nil {
		lastErr = fmt.Errorf("no usable address for %s", host)
	}
	return nil, lastErr
}

var hostnamePattern = regexp.MustCompile(`^[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?)*$`)

func NormalizeHost(addr string) (string, error) {
	addr = strings.TrimSpace(addr)
	if addr == "" {
		return "", fmt.Errorf("address is required")
	}
	if strings.HasPrefix(addr, "[") && strings.HasSuffix(addr, "]") {
		addr = addr[1 : len(addr)-1]
	}
	if ip := net.ParseIP(addr); ip != nil {
		return ip.String(), nil
	}
	if len(addr) > 253 || !hostnamePattern.MatchString(addr) {
		return "", fmt.Errorf("invalid host %q", addr)
	}
	return addr, nil
}
fix(security): SSRF-guard node and remote HTTP clients 2026-05-13 13:33:53 +02:00			`package netsafe`

			`import (`
			`"context"`
			`"fmt"`
			`"net"`
			`"regexp"`
			`"strings"`
			`"time"`
			`)`

			`func IsBlockedIP(ip net.IP) bool {`
			`return ip.IsLoopback() \|\| ip.IsPrivate() \|\| ip.IsLinkLocalUnicast() \|\|`
			`ip.IsLinkLocalMulticast() \|\| ip.IsUnspecified()`
			`}`

			`type allowPrivateCtxKey struct{}`

			`func ContextWithAllowPrivate(ctx context.Context, allow bool) context.Context {`
			`return context.WithValue(ctx, allowPrivateCtxKey{}, allow)`
			`}`

			`func AllowPrivateFromContext(ctx context.Context) bool {`
			`v, _ := ctx.Value(allowPrivateCtxKey{}).(bool)`
			`return v`
			`}`

			`var defaultDialer = &net.Dialer{Timeout: 10 * time.Second}`

			`func SSRFGuardedDialContext(ctx context.Context, network, addr string) (net.Conn, error) {`
			`host, port, err := net.SplitHostPort(addr)`
			`if err != nil {`
			`return nil, err`
			`}`
			`allowPrivate := AllowPrivateFromContext(ctx)`
			`var ips []net.IPAddr`
			`if ip := net.ParseIP(host); ip != nil {`
			`ips = []net.IPAddr{{IP: ip}}`
			`} else {`
			`ips, err = net.DefaultResolver.LookupIPAddr(ctx, host)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`
			`var lastErr error`
			`for _, ipAddr := range ips {`
			`if !allowPrivate && IsBlockedIP(ipAddr.IP) {`
			`lastErr = fmt.Errorf("blocked private/internal address %s", ipAddr.IP)`
			`continue`
			`}`
			`conn, derr := defaultDialer.DialContext(ctx, network, net.JoinHostPort(ipAddr.IP.String(), port))`
			`if derr == nil {`
			`return conn, nil`
			`}`
			`lastErr = derr`
			`}`
			`if lastErr == nil {`
			`lastErr = fmt.Errorf("no usable address for %s", host)`
			`}`
			`return nil, lastErr`
			`}`

			var hostnamePattern = regexp.MustCompile(`^[A-Za-z0-9]([A-Za-z0-9-][A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-][A-Za-z0-9])?)*$`)

			`func NormalizeHost(addr string) (string, error) {`
			`addr = strings.TrimSpace(addr)`
			`if addr == "" {`
			`return "", fmt.Errorf("address is required")`
			`}`
			`if strings.HasPrefix(addr, "[") && strings.HasSuffix(addr, "]") {`
			`addr = addr[1 : len(addr)-1]`
			`}`
			`if ip := net.ParseIP(addr); ip != nil {`
			`return ip.String(), nil`
			`}`
			`if len(addr) > 253 \|\| !hostnamePattern.MatchString(addr) {`
			`return "", fmt.Errorf("invalid host %q", addr)`
			`}`
			`return addr, nil`
			`}`