releases/v0.13.3 #103
releases/v0.13.3 #103
Conversation
There was a problem hiding this comment.
Pull request overview
This PR releases version 0.13.3, which adds security validation to prevent requests to private IP addresses and hostnames. The main changes include implementing host validation logic to block access to private networks and updating various dependencies.
- Implemented
is_public_hostvalidation to block requests to private IP addresses - Added IPv4 and IPv6 private address detection functions
- Updated project dependencies to newer versions
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| Cargo.toml | Version bump from 0.13.2 to 0.13.3 |
| CHANGELOG.md | Added release notes for v0.13.3 documenting the new security feature |
| crates/http-backend/src/lib.rs | Implemented private IP detection functions and added validation check |
| crates/http-service/src/state.rs | Added public host validation check with error message |
| Cargo.lock | Updated numerous dependencies to their latest versions |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pub fn is_public_host(host: &str) -> bool { | ||
| // Try to parse as IP address | ||
| match host.parse::<IpAddr>() { | ||
| Ok(ip) => !is_private_ip(&ip), | ||
| Err(_) => true, // Not an IP address, assume it's a hostname | ||
| } | ||
| } |
There was a problem hiding this comment.
The function is_public_host returns true for all non-IP hostnames, which is a security bypass. Hostnames can resolve to private IP addresses (e.g., 'localhost', '*.local', internal DNS names). Consider either: (1) resolving the hostname to an IP and then checking, or (2) maintaining a blocklist of known private hostname patterns, or (3) renaming the function to clarify it only validates IP addresses directly.
| ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0 | ||
| && ip.octets()[3] != 9 && ip.octets()[3] != 10 | ||
| ) |
There was a problem hiding this comment.
[nitpick] The formatting is inconsistent with opening parenthesis on the previous line but closing on a separate line. Consider reformatting to align with the surrounding code style, either keeping the entire condition on one line or properly indenting the closing parenthesis.
| ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0 | |
| && ip.octets()[3] != 9 && ip.octets()[3] != 10 | |
| ) | |
| ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0 | |
| && ip.octets()[3] != 9 && ip.octets()[3] != 10 | |
| ) |
| || ( | ||
| ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0 | ||
| && ip.octets()[3] != 9 && ip.octets()[3] != 10 | ||
| ) |
There was a problem hiding this comment.
The 192.0.0.0/24 range check lacks documentation explaining which specific reserved addresses are being filtered. The exceptions for .9 and .10 should be documented to clarify why these specific addresses (192.0.0.9 and 192.0.0.10) are allowed while the rest of 192.0.0.0/24 is blocked.
| || ( | |
| ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0 | |
| && ip.octets()[3] != 9 && ip.octets()[3] != 10 | |
| ) | |
| // Block 192.0.0.0/24, which is reserved by IANA for special purposes (RFC 6890). | |
| // However, allow 192.0.0.9 (used for DNS over TLS) and 192.0.0.10 (used for DNS over HTTPS), | |
| // as assigned by IANA (see https://www.iana.org/assignments/iana-ipv4-special-registry/). | |
| || ( | |
| ip.octets()[0] == 192 && ip.octets()[1] == 0 && ip.octets()[2] == 0 | |
| && ip.octets()[3] != 9 && ip.octets()[3] != 10 // exceptions: 192.0.0.9 and 192.0.0.10 | |
| ) |
releases/v0.13.3