fix: correctly check denied domains and ips for actions (#8810)

# Which Problems Are Solved System administrators can block hosts and IPs for HTTP calls in actions. Using DNS, blocked IPs could be bypassed. # How the Problems Are Solved - Hosts are resolved (DNS lookup) to check whether their corresponding IP is blocked. # Additional Changes - Added complete lookup ip address range and "unspecified" address to the default `DenyList` (cherry picked from commit 79fb4cc1cc)
2025-08-12 03:47:33 +00:00 · 2024-10-22 16:16:44 +02:00
parent 27ab1a22e7
commit 7508e6c9f3
5 changed files with 95 additions and 60 deletions
--- a/cmd/start/config_test.go
+++ b/cmd/start/config_test.go
@@ -47,9 +47,9 @@ Log:
 `},
 		want: func(t *testing.T, config *Config) {
 			assert.Equal(t, config.Actions.HTTP.DenyList, []actions.AddressChecker{
-				&actions.DomainChecker{Domain: "localhost"},
-				&actions.IPChecker{IP: net.ParseIP("127.0.0.1")},
-				&actions.DomainChecker{Domain: "foobar"}})
+				&actions.HostChecker{Domain: "localhost"},
+				&actions.HostChecker{IP: net.ParseIP("127.0.0.1")},
+				&actions.HostChecker{Domain: "foobar"}})
 		},
 	}, {
 		name: "actions deny list string ok",
@@ -63,9 +63,9 @@ Log:
 `},
 		want: func(t *testing.T, config *Config) {
 			assert.Equal(t, config.Actions.HTTP.DenyList, []actions.AddressChecker{
-				&actions.DomainChecker{Domain: "localhost"},
-				&actions.IPChecker{IP: net.ParseIP("127.0.0.1")},
-				&actions.DomainChecker{Domain: "foobar"}})
+				&actions.HostChecker{Domain: "localhost"},
+				&actions.HostChecker{IP: net.ParseIP("127.0.0.1")},
+				&actions.HostChecker{Domain: "foobar"}})
 		},
 	}, {
 		name: "features ok",