Enhance metadata URI validation#53
Merged
Merged
Conversation
gabmontes
force-pushed
the
fix-reserved-ranges
branch
from
e812a5c to
0ea9b53
Compare
Author
|
Explorer tests fail randomly. A fix is in the works in #54. |
There was a problem hiding this comment.
Pull request overview
This PR hardens Explorer.MetadataURIValidator to reduce SSRF risk by expanding the reserved/private IP CIDR blacklist (notably for IPv6) and adding ExUnit coverage for IPv4, IPv6, and IPv6-mapped IPv4 inputs.
Changes:
- Expanded
@reserved_rangeswith multiple IPv6 special-use CIDRs and added IPv6-mapped IPv4 handling. - Updated
allowed_ip?/1to perform additional checks for IPv6-mapped IPv4 addresses. - Added a new test module covering blocked/allowed hosts and invalid URI/protocol cases.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
apps/explorer/lib/explorer/metadata_uri_validator.ex |
Extends reserved CIDR blacklist and adds IPv6-mapped IPv4 extraction/check logic. |
apps/explorer/test/explorer/metadata_uri_validator_test.exs |
Adds a dedicated test suite validating blacklisting behavior across IP formats and URI validation errors. |
Comments suppressed due to low confidence (1)
apps/explorer/test/explorer/metadata_uri_validator_test.exs:15
- setup/0 overwrites Application env for :indexer, Indexer.Fetcher.TokenInstance.Helper but never restores the previous value. This can leak configuration into other tests (especially when tests run concurrently); capture the old config and restore it in on_exit/1 (and consider avoiding persistent_term cache keys shared across the suite).
# Ensure the required config is set for tests
Application.put_env(:indexer, Indexer.Fetcher.TokenInstance.Helper,
cidr_blacklist: [],
allowed_uri_protocols: ["http", "https"],
host_filtering_enabled?: true
)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gabmontes
force-pushed
the
fix-reserved-ranges
branch
from
0ea9b53 to
450c777
Compare
auto-merge was automatically disabled
May 21, 2026 15:08
Pull request was converted to draft
gabmontes
force-pushed
the
fix-reserved-ranges
branch
from
450c777 to
149907b
Compare
gabmontes
force-pushed
the
fix-reserved-ranges
branch
from
149907b to
dca9d0b
Compare
joshuasing
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request strengthens the IP address validation logic in
Explorer.MetadataURIValidatorto provide more robust protection against requests to private, reserved, and special-use IP ranges, especially for IPv6 and IPv6-mapped IPv4 addresses. It also introduces comprehensive tests to ensure the validator correctly blocks or allows various types of addresses.Improvements to IP address validation:
@reserved_rangesto include several important IPv6 ranges, such as loopback, unique local, link-local, documentation, and discard prefixes, as well as IPv6-mapped IPv4 and translated address spaces.allowed_ip?/1logic to detect and block IPv6-mapped IPv4 addresses by extracting and checking the embedded IPv4 address against the blacklist, providing defense-in-depth against bypass attempts.extract_ipv4_from_mapped/1to correctly parse and handle IPv6-mapped IPv4 addresses.Bitwisemodule to support bitwise operations needed for IPv6 address parsing.Testing improvements:
metadata_uri_validator_test.exswith extensive tests covering IPv4, native IPv6, and IPv6-mapped IPv4 addresses, ensuring the validator blocks all reserved and private ranges and allows valid public addresses. Tests also cover invalid URIs and disallowed protocols.Checklist for your Pull Request (PR)
masterin the Version column. If I removed variable, I added it to Deprecated ENV Variables page. After merging docs PR, changes will be reflected in these pages.