Skip to content

Commit a3fdde2

Browse files
RubenVerborghRubenVerborgh
committed
Extend list of reserved IP addresses.
Taken from jtdowney/private_address_check#3
1 parent 7e7fb8a commit a3fdde2

File tree

2 files changed

+37
-7
lines changed

2 files changed

+37
-7
lines changed

lib/handlers/cors-proxy.js

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,35 @@ const PROXY_SETTINGS = {
2222
router: req => req.destination.target,
2323
pathRewrite: (path, req) => req.destination.path
2424
}
25-
const LOCAL_IP_RANGES = [
26-
'10.0.0.0/8',
27-
'127.0.0.0/8',
28-
'172.16.0.0/12',
29-
'192.168.0.0/16'
25+
// https://en.wikipedia.org/wiki/Reserved_IP_addresses
26+
const RESERVED_IP_RANGES = [
27+
'127.0.0.0/8', // loopback
28+
'::1/128', // loopback
29+
'0.0.0.0/8', // current network (only valid as source address)
30+
'169.254.0.0/16', // link-local
31+
'10.0.0.0/8', // private network
32+
'100.64.0.0/10', // Shared Address Space
33+
'172.16.0.0/12', // private network
34+
'192.0.0.0/24', // IETF Protocol Assignments
35+
'192.0.2.0/24', // TEST-NET-1, documentation and examples
36+
'192.88.99.0/24', // IPv6 to IPv4 relay (includes 2002::/16)
37+
'192.168.0.0/16', // private network
38+
'198.18.0.0/15', // network benchmark tests
39+
'198.51.100.0/24', // TEST-NET-2, documentation and examples
40+
'203.0.113.0/24', // TEST-NET-3, documentation and examples
41+
'224.0.0.0/4', // IP multicast (former Class D network)
42+
'240.0.0.0/4', // reserved (former Class E network)
43+
'255.255.255.255', // broadcast
44+
'64:ff9b::/96', // IPv4/IPv6 translation (RFC 6052)
45+
'100::/64', // discard prefix (RFC 6666)
46+
'2001::/32', // Teredo tunneling
47+
'2001:10::/28', // deprecated (previously ORCHID
48+
'2001:20::/28', // ORCHIDv2
49+
'2001:db8::/32', // documentation and example source code
50+
'2002::/16', // 6to4
51+
'fc00::/7', // unique local address
52+
'fe80::/10', // link-local address
53+
'ff00::/8' // multicast
3054
]
3155

3256
// Adds a CORS proxy handler to the application on the given path
@@ -58,7 +82,7 @@ function extractProxyConfig (req, res, next) {
5882
// Verifies and adds the proxy configuration to the request
5983
function addProxyConfig (error, hostAddress) {
6084
// Ensure the host is not a local IP
61-
if (error || LOCAL_IP_RANGES.some(r => ipRange(hostAddress, r))) {
85+
if (error || RESERVED_IP_RANGES.some(r => ipRange(hostAddress, r))) {
6286
return res.status(400).send(`Cannot proxy ${uri}`)
6387
}
6488
req.destination = { path, target: `${protocol}//${host}` }

test/integration/cors-proxy-test.js

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,13 @@ describe('CORS Proxy', () => {
4444
.end(done)
4545
})
4646

47-
const LOCAL_IPS = ['127.0.0.0', '10.0.0.0', '172.16.0.0', '192.168.0.0']
47+
const LOCAL_IPS = [
48+
'127.0.0.0',
49+
'10.0.0.0',
50+
'172.16.0.0',
51+
'192.168.0.0',
52+
'[::1]'
53+
]
4854
LOCAL_IPS.forEach(ip => {
4955
it(`should return 400 for a ${ip} address`, (done) => {
5056
nock(`https://${ip}`).get('/').reply(200)

0 commit comments

Comments
 (0)