feat: harden egress IP address validation (#5604)

mhilton · web-flow · commit 9e620eb68fc6 · 2026-03-13T06:37:39.000Z
* feat: Have a single dialer dependency

Consolodate down to a single implementation of Dialer in the
dependencies.

* feat: use a validating dialer to connect to prometheus

In the standardlib prometheus scrape function use the HTTP client from
the injected dependencies to provide IP validation at connection time.

* feat: expand PrivateIPValidator's block list

Extend the PrivateIPValidator to include additional IP ranges that are
defined as not being "Globally Reachable" by IANA.
diff --git a/dependencies.go b/dependencies.go
@@ -3,10 +3,9 @@ package flux
 import (
 	"context"
 	"net"
-	"syscall"
-	"time"
 
 	"github.com/influxdata/flux/codes"
+	"github.com/influxdata/flux/dependencies/dialer"
 	"github.com/influxdata/flux/dependencies/filesystem"
 	"github.com/influxdata/flux/dependencies/http"
 	"github.com/influxdata/flux/dependencies/secret"
@@ -126,22 +125,5 @@ func GetDialer(ctx context.Context) (*net.Dialer, error) {
 	if err != nil {
 		return nil, err
 	}
-
-	// Control is called after DNS lookup, but before the
-	// network connection is initiated.
-	control := func(network, address string, c syscall.RawConn) error {
-		host, _, err := net.SplitHostPort(address)
-		if err != nil {
-			return err
-		}
-
-		ip := net.ParseIP(host)
-		return url.ValidateIP(ip)
-	}
-
-	return &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
-		Control:   control,
-	}, nil
+	return dialer.New(url), nil
 }
diff --git a/dependencies/bigtable/bigtable.go b/dependencies/bigtable/bigtable.go
@@ -27,7 +27,7 @@ type Dependency struct {
 	Provider Provider
 }
 
-// Inject will inject the Dialer into the dependency chain.
+// Inject will inject the Provider into the dependency chain.
 func (d Dependency) Inject(ctx context.Context) context.Context {
 	return Inject(ctx, d.Provider)
 }
diff --git a/dependencies/dialer/dialer.go b/dependencies/dialer/dialer.go
@@ -0,0 +1,39 @@
+package dialer
+
+import (
+	"context"
+	"net"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/influxdata/flux/codes"
+	"github.com/influxdata/flux/dependencies/url"
+	"github.com/influxdata/flux/internal/errors"
+)
+
+// Create a new *net.Dialer that uses the provided url.Validator to
+// validate the destination OP address before connecting.
+func New(urlValidator url.Validator) *net.Dialer {
+	// ControlContext is called after DNS lookup, but before the network
+	// connection is initiated.
+	controlContext := func(ctx context.Context, network, address string, c syscall.RawConn) error {
+		host, _, err := net.SplitHostPort(address)
+		if err != nil {
+			return err
+		}
+		// Remove any zone from the host.
+		host, _, _ = strings.Cut(host, "%")
+		ip := net.ParseIP(host)
+		if ip == nil {
+			return errors.New(codes.Invalid, "no such host")
+		}
+		return urlValidator.ValidateIP(ip)
+	}
+
+	return &net.Dialer{
+		Timeout:        30 * time.Second,
+		KeepAlive:      30 * time.Second,
+		ControlContext: controlContext,
+	}
+}
diff --git a/dependencies/http/http.go b/dependencies/http/http.go
@@ -3,13 +3,11 @@ package http
 import (
 	"crypto/tls"
 	"io"
-	"net"
 	"net/http"
-	"strings"
-	"syscall"
 	"time"
 
 	"github.com/influxdata/flux/codes"
+	"github.com/influxdata/flux/dependencies/dialer"
 	"github.com/influxdata/flux/dependencies/url"
 	"github.com/influxdata/flux/internal/errors"
 )
@@ -64,28 +62,7 @@ func (l roundTripLimiter) RoundTrip(r *http.Request) (*http.Response, error) {
 
 // NewDefaultClient creates a client with sane defaults.
 func NewDefaultClient(urlValidator url.Validator) *http.Client {
-	// Control is called after DNS lookup, but before the network connection is
-	// initiated.
-	control := func(network, address string, c syscall.RawConn) error {
-		host, _, err := net.SplitHostPort(address)
-		if err != nil {
-			return err
-		}
-		// Remove any zone from the host.
-		host, _, _ = strings.Cut(host, "%")
-		ip := net.ParseIP(host)
-		if ip == nil {
-			return errors.New(codes.Invalid, "no such host")
-		}
-		return urlValidator.ValidateIP(ip)
-	}
-
-	dialer := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
-		Control:   control,
-		// DualStack is deprecated
-	}
+	dialer := dialer.New(urlValidator)
 
 	// These defaults are copied from http.DefaultTransport.
 	return &http.Client{
diff --git a/dependencies/url/validator.go b/dependencies/url/validator.go
@@ -62,15 +62,51 @@ var privateIPBlocks []*net.IPNet
 
 func init() {
 	for _, cidr := range []string{
-		"0.0.0.0/32",     // Linux treats 0.0.0.0 as 127.0.0.1
-		"127.0.0.0/8",    // IPv4 loopback
-		"10.0.0.0/8",     // RFC1918
-		"172.16.0.0/12",  // RFC1918
-		"192.168.0.0/16", // RFC1918
-		"169.254.0.0/16", // RFC3927
-		"::1/128",        // IPv6 loopback
-		"fe80::/10",      // IPv6 link-local
-		"fc00::/7",       // IPv6 unique local addr
+		// IPv4 Special-Purpose Address Space
+		// Address ranges taken from https://www.iana.org/assignments/iana-ipv4-special-registry/
+		// that have the "Globally Reachable" flag marked as "False".
+		"0.0.0.0/8",      // "This network" [RFC791], Section 3.2
+		"10.0.0.0/8",     // Private-Use [RFC1918]
+		"100.64.0.0/10",  // Shared Address Space [RFC6598]
+		"127.0.0.0/8",    // Loopback [RFC1122], Section 3.2.1.3
+		"169.254.0.0/16", // Link Local [RFC3927]
+		"172.16.0.0/12",  // Private-Use [RFC1918]
+		// The 192.0.0.0/24 block does include the addresses 192.0.0.9 &
+		// 192.0.0.10, these are marked as "Globally Reachable" but are
+		// for such specific protocols that blocking them will not
+		// affect flux scripts.
+		"192.0.0.0/24",       // IETF Protocol Assignments [RFC6890], Section 2.1
+		"192.0.2.0/24",       // Documentation (TEST-NET-1) [RFC5737]
+		"192.88.99.2/32",     // 6a44-relay anycast address [RFC6751]
+		"192.168.0.0/16",     // Private-Use [RFC1918]
+		"198.18.0.0/15",      // Benchmarking [RFC2544]
+		"198.51.100.0/24",    // Documentation (TEST-NET-2) [RFC5737]
+		"203.0.113.0/24",     // Documentation (TEST-NET-3) [RFC5737]
+		"240.0.0.0/4",        // Reserved [RFC1112], Section 4
+		"255.255.255.255/32", // Limited Broadcast [RFC8190] [RFC919], Section 7
+
+		// IPv6 Special-Purpose Address Space
+		// Address ranges taken from https://www.iana.org/assignments/iana-ipv6-special-registry/
+		// that have the "Globally Reachable" flag marked as "False".
+		"::1/128", // Loopback Address [RFC4291]
+		"::/128",  // Unspecified Address [RFC4291]
+		// The IPv4-mapped Address block is marked as not being globally
+		// reachable, but is also how Go stores IPv4 Addresses, so
+		// adding the range causes all IPv4 addresses to be blocked.
+		// "::ffff:0:0/96", IPv4-mapped Address [RFC4291]
+		"64:ff9b:1::/48", // IPv4-IPv6 Translat. [RFC8215]
+		"100::/64",       // Discard-Only Address Block [RFC6666]
+		"100:0:0:1::/64", // Dummy IPv6 Prefix [RFC9780]
+		// The 2001::/23 block includes a number of ranges which are
+		// marked as "Globally Reachable" but are for such specific
+		// protocols that blocking them will not affect flux scripts.
+		"2001::/23",     // IETF Protocol Assignments [RFC2928]
+		"2001:db8::/32", // Documentation [RFC3849]
+		"2002::/16",     // 6to4 [RFC3056]
+		"3fff::/20",     // Documentation [RFC9637]
+		"5f00::/16",     // Segment Routing (SRv6) SIDs [RFC9602]
+		"fc00::/7",      // Unique-Local [RFC4193] [RFC8190]
+		"fe80::/10",     // Link-Local Unicast [RFC4291]
 	} {
 		_, block, err := net.ParseCIDR(cidr)
 		if err != nil {
diff --git a/go.mod b/go.mod
@@ -36,7 +36,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.14.18
 	github.com/microsoft/go-mssqldb v1.9.4
 	github.com/opentracing/opentracing-go v1.2.0
-	github.com/prometheus/client_model v0.6.1
+	github.com/prometheus/client_model v0.6.2
 	github.com/prometheus/common v0.53.0
 	github.com/segmentio/kafka-go v0.4.50
 	github.com/spf13/cobra v0.0.3
@@ -50,7 +50,7 @@ require (
 	gonum.org/v1/gonum v0.15.1
 	google.golang.org/api v0.214.0
 	google.golang.org/grpc v1.71.0
-	google.golang.org/protobuf v1.36.5
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -379,8 +379,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
 github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -685,8 +685,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/stdlib/experimental/prometheus/prometheus_test.go b/stdlib/experimental/prometheus/prometheus_test.go
@@ -5,11 +5,14 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
 	flux "github.com/influxdata/flux"
 	"github.com/influxdata/flux/dependencies/dependenciestest"
+	fhttp "github.com/influxdata/flux/dependencies/http"
+	"github.com/influxdata/flux/dependencies/url"
 	"github.com/influxdata/flux/dependency"
 	"github.com/influxdata/flux/execute"
 	"github.com/influxdata/flux/execute/executetest"
@@ -230,7 +233,9 @@ func testSourceDecoder(p *PrometheusIterator, t *testing.T) *executetest.Result
 	results := &executetest.Result{}
 	runOnce := true
 
-	ctx, deps := dependency.Inject(context.Background(), dependenciestest.Default())
+	dependencies := dependenciestest.Default()
+	dependencies.Deps.Deps.HTTPClient = fhttp.NewDefaultClient(url.PassValidator{})
+	ctx, deps := dependency.Inject(context.Background(), dependencies)
 	defer deps.Finish()
 
 	err := p.Connect(ctx)
@@ -271,3 +276,28 @@ func testSourceDecoder(p *PrometheusIterator, t *testing.T) *executetest.Result
 	}
 	return results
 }
+
+func TestValidation(t *testing.T) {
+	dependencies := dependenciestest.Default()
+	dependencies.Deps.Deps.HTTPClient = fhttp.NewDefaultClient(url.PrivateIPValidator{})
+	ctx, deps := dependency.Inject(context.Background(), dependencies)
+	defer deps.Finish()
+
+	spec := &ScrapePrometheusProcedureSpec{URL: "http://[::1]"}
+	admin := &mock.Administration{}
+	c := execute.NewTableBuilderCache(admin.Allocator())
+	timestamp := time.Now()
+	p := &PrometheusIterator{
+		NowFn:          func() time.Time { return timestamp },
+		spec:           spec,
+		administration: admin,
+		cache:          c,
+	}
+	err := p.Connect(ctx)
+	if err == nil {
+		t.Fatal("expected connection error")
+	}
+	if !strings.HasSuffix(err.Error(), "no such host") {
+		t.Fatalf("unexpected error: %s", err)
+	}
+}
diff --git a/stdlib/experimental/prometheus/scrape.go b/stdlib/experimental/prometheus/scrape.go
@@ -10,7 +10,6 @@ import (
 	"math"
 	"mime"
 	"net/http"
-	"net/url"
 	"time"
 
 	"github.com/influxdata/flux/runtime"
@@ -135,23 +134,20 @@ func (p *PrometheusIterator) Connect(ctx context.Context) error {
 		p.now = time.Now()
 	}
 
-	u, err := url.Parse(p.url)
+	// Get URL validating HTTP client.
+	client, err := flux.GetDependencies(ctx).HTTPClient()
 	if err != nil {
 		return err
 	}
 
-	// Validate url
-	deps := flux.GetDependencies(ctx)
-	validator, err := deps.URLValidator()
+	// Create request
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, p.url, nil)
 	if err != nil {
 		return err
 	}
-	if err := validator.Validate(u); err != nil {
-		return err
-	}
 
 	// Get response
-	resp, err := http.Get(p.url)
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ type Dependency struct {`
`27`	`27`	`Provider Provider`
`28`	`28`	`}`
`29`	`29`
`30`		`-// Inject will inject the Dialer into the dependency chain.`
	`30`	`+// Inject will inject the Provider into the dependency chain.`
`31`	`31`	`func (d Dependency) Inject(ctx context.Context) context.Context {`
`32`	`32`	`return Inject(ctx, d.Provider)`
`33`	`33`	`}`