mirror of
https://github.com/coder/coder.git
synced 2026-06-03 04:58:23 +00:00
Jakub Domeracki
fb3aef1883
* fix(coderd): Harden Azure identity certificate fetch - Restrict cert fetches to a host+port allowlist (Microsoft and DigiCert on 80/443). - Route requests through a dedicated `http.Client` that resolves the host once and dials the validated IP directly. - Reject loopback, private (RFC 1918 / IPv6 ULA), link-local, multicast, unspecified, CGNAT, benchmarking, and IPv4-mapped IPv6 addresses. - Cap the certificate response body at 1 MiB. - Log the underlying error via slog and return a generic detail to the caller. - Add unit tests for the URL allowlist, IP classification, and dialer. * fix(coderd/azureidentity): add IPv6 special-use ranges to SSRF blocklist The extraBlockedNetworks list only contained IPv4 CIDRs. Add IPv6 equivalents that Go's stdlib classification methods do not cover: - 64:ff9b:1::/48 RFC 8215 NAT64 translation - 100::/64 RFC 6666 discard-only - 2001:2::/48 RFC 5180 benchmarking - 2001:db8::/32 RFC 3849 documentation IPv6 ranges already handled by stdlib (unchanged): - ::1/128 (IsLoopback) - fc00::/7 (IsPrivate, ULA) - fe80::/10 (IsLinkLocalUnicast) - ff00::/8 (IsMulticast) - ::/128 (IsUnspecified)