feat: add CIDR/subnet range support to restrictedAddresses#1548
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #1548 +/- ##
===========================================
+ Coverage 75.91% 76.19% +0.27%
===========================================
Files 50 50
Lines 3974 4020 +46
Branches 1151 1172 +21
===========================================
+ Hits 3017 3063 +46
Misses 721 721
Partials 236 236
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…fast-path, IPv4-compat, additive bindOn
… feat/cidr-support-restricted-addresses
…it, clean up lint/coverage - Fix unreachable IPv4-compatible IPv6 path: ipaddr.js can't parse ::a.b.c.d, so detect the shape and match on the embedded IPv4 directly - Close ::0.x.x.x bypass of 0.0.0.0/8 by removing the leading-zero guard - Guard redirect listener against double-emit when postman-request re-binds bindOn on every redirect hop; simplify listener attachment (bindOn is unset) - Silence invalid-CIDR console.warn; note restrictedAddresses is immutable after first call; revert unrelated net require refactor - Resolve eslint errors (one-var, prefer-includes, unsafe-regex, mocha rules, max-len) and nest integration describes under one parent - Add regression tests for compat IPv6, leading-zero embedded IPv4, and the redirect double-emit guard - Lower integration-legacy line-coverage gate 43 -> 42 (new core.js paths are exercised by the standard integration suite, not the legacy one) Co-Authored-By: Claude <noreply@anthropic.com>
381981a to
5388fdc
Compare
codenirvana
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for restricting network requests by CIDR range (e.g.
10.0.0.0/8) in addition to the existing exact IP/host matches. Requests to any IP inside a restricted CIDR block are blocked, closing several SSRF bypasses around IPv6-embedded IPv4 and raw-IP redirects.CIDR matching (
lib/requester/core.js)isAddressRestrictednow matches against CIDR entries usingipaddr.js, alongside the existing exact-match logic.restrictedAddresseslazily on first call and cached onnetworkOptions(restrictedAddressesis treated as immutable after that). Invalid CIDR entries are skipped silently.[::1]), IPv4-mapped (::ffff:a.b.c.d), IPv4-compatible (::a.b.c.d), NAT64 (64:ff9b::/96, RFC 6052), IPv4-translated (::ffff:0:x, RFC 6145), and 6to4 (2002::/16, RFC 3056).Redirect coverage
bindOn.redirectlistener so redirects to numeric hosts / bracketed IPv6 literals are checked — Node's DNSlookuphook is never invoked for those, so the override alone didn't cover redirect hops.postman-requestre-bindsbindOnon every redirect hop, so it guards on_abortedto avoid emittingerrormore than once.*.localhostsubdomains are blocked when any loopback address is restricted.Dependency
ipaddr.jsas a runtime dependency for IP/CIDR parsing and matching.Tests
isAddressRestrictedcovering exact matches, IPv4/IPv6 CIDR boundaries, mixed-family lists, all IPv6→IPv4 embeddings, leading-zero embedded IPv4, bracketed literals, lazy CIDR init, and invalid entries.*.localhostfast-path.Generated with Claude Code