SECURITY: Consider 0.0.0.0 a private IP

2018-07-24 11:15:37 -04:00 · 2018-07-24 11:15:37 -04:00 · 878aee965b
commit 878aee965b
parent cf9b4a789b
2 changed files with 6 additions and 0 deletions
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@ -298,6 +298,7 @@ class FinalDestination

  def self.standard_private_ranges
    @private_ranges ||= [
+      IPAddr.new('0.0.0.0/8'),
      IPAddr.new('127.0.0.1'),
      IPAddr.new('172.16.0.0/12'),
      IPAddr.new('192.168.0.0/16'),
--- a/spec/components/final_destination_spec.rb
+++ b/spec/components/final_destination_spec.rb
@ -337,6 +337,11 @@ describe FinalDestination do
      expect(fd("https://104.25.153.10").is_dest_valid?).to eq(true)
    end

+    it "returns false for short ip" do
+      expect(FinalDestination.new('https://0/logo.png').is_dest_valid?).to eq(false)
+      expect(FinalDestination.new('https://1/logo.png').is_dest_valid?).to eq(false)
+    end
+
    it "returns false for private ipv4" do
      expect(fd("https://127.0.0.1").is_dest_valid?).to eq(false)
      expect(fd("https://192.168.1.3").is_dest_valid?).to eq(false)