Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disallow_private_ip_ranges and private_ip_exception_urls settings don't work as expected #4049

Open
5 tasks done
David-Wobrock opened this issue Aug 21, 2024 · 0 comments
Open
5 tasks done

disallow_private_ip_ranges and private_ip_exception_urls settings don't work as expected #4049

David-Wobrock opened this issue Aug 21, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@David-Wobrock
Copy link
Contributor

Preflight checklist

Ory Network Project

No response

Describe the bug

To avoid SSRF, Kratos will block calling some private IP ranges.

This should be disabled by either doing:

clients:
  http:
    disallow_private_ip_ranges: false

or by whitelisting the relevant URL:

clients:
  http:
    disallow_private_ip_ranges: true
    private_ip_exception_urls:
      - http://100.64.1.1:80/route

However, for the IP range 100.64.0.0/10, doing any of those will not work.
The exceptions are not taken into account.

This is not directly an issue in Kratos, but in ory/x/httpx. See related issue: ory/x#805

Reproducing the bug

See related issue: ory/x#805

Relevant log output

No response

Relevant configuration

No response

Version

v1.2.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@David-Wobrock