ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range.

### Preflight checklist

- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's [Code of Conduct](https://github.com/ory/x/blob/master/CODE_OF_CONDUCT.md).
- [X] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/x/blob/master/CONTRIBUTING.md).
- [X] I have joined the [Ory Community Slack](https://slack.ory.sh).
- [X] I am signed up to the [Ory Security Patch Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53).

### Ory Network Project

_No response_

### Describe the bug

When creating a `ResilientClient` that is allowed calling internal IPs, some internal IP ranges are still blocked.

TL;DR:

The IP range 100.64.0.0/10 is blocked by the `ResilientClient`, even if we allow internal IPs or if we whitelist this specific IP.
Thus, there is no way to pass it.

----

Expected behaviour:
```
c := NewResilientClient()
c.Get("http://100.64.1.1:80/route")
```
should work, but instead we get an error:
```
[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)
```
❌ 
This comes back to this range that is defined here: https://github.com/daenney/ssrf/blob/main/ssrf_gen.go#L38

We should only get this error when we do:
```
c := NewResilientClient(
  ResilientClientDisallowInternalIPs(),
)
c.Get("http://100.64.1.1:80/route")
```

----

Additionally, the `ResilientClientAllowInternalIPRequestsTo` option will not work as expected for these ranges.
Example:
```
c := NewResilientClient(
	ResilientClientDisallowInternalIPs(),
	ResilientClientAllowInternalIPRequestsTo("http://100.64.1.1:80/route"),
)
c.Get("http://100.64.1.1:80/route")
```
should work, but instead we get the same error:
```
[ERR] POST http://100.64.1.1:80/route request failed: Post "http://100.64.1.1:80/route": dial tcp 100.64.1.1:80: prohibited IP address: 100.64.1.1 is not a permitted destination (denied by: 100.64.0.0/10)
```

This happens because, no matter the `onWhitelist` [RoundTripper](https://github.com/ory/x/blob/master/httpx/resilient_client.go#L122) that we use, it is a [ssrf.Safe](https://github.com/ory/x/blob/master/httpx/ssrf.go#L85-L103) where we don't allow the 100.64.0.0/10 IP range.

### Reproducing the bug

Can be reproduced in the test suite quite easily, by creating a new test case like we have in `httpx/resilient_client_test.go`.

### Relevant log output

_No response_

### Relevant configuration

_No response_

### Version

v0.0.649

### On which operating system are you observing this issue?

None

### In which environment are you deploying?

None

### Additional Context

I'll try to submit a patch in the coming days/weeks.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range. #805

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range. #805

Description

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions