Permalink
Browse files

Fix bypass bug with malformed addresses

The Ruby Resolv library can return an empty array from getaddresses for
some atypical IP address encodings. This was brought to my attention by
@EdOverflow.
  • Loading branch information...
jtdowney committed Nov 5, 2017
1 parent 47b15f6 commit 58a0d7fe31de339c0117160567a5b33ad82b46af
Showing with 6 additions and 0 deletions.
  1. +2 −0 lib/private_address_check.rb
  2. +4 −0 test/private_address_check_test.rb
@@ -31,6 +31,8 @@ def private_address?(address)
def resolves_to_private_address?(hostname)
ips = Resolv.getaddresses(hostname)
return true if ips.empty?
ips.any? do |ip|
private_address?(ip)
end
@@ -35,4 +35,8 @@ def test_private_hostname_for_public_addresses
def test_private_hostname_for_private_addresses
assert PrivateAddressCheck.resolves_to_private_address?("localhost")
end
def test_private_address_for_malformed_addresses
assert PrivateAddressCheck.resolves_to_private_address?("127.1")
end
end

0 comments on commit 58a0d7f

Please sign in to comment.