fix: correctly check denied domains and ips for actions (#8810)

# Which Problems Are Solved System administrators can block hosts and IPs for HTTP calls in actions. Using DNS, blocked IPs could be bypassed. # How the Problems Are Solved - Hosts are resolved (DNS lookup) to check whether their corresponding IP is blocked. # Additional Changes - Added complete lookup ip address range and "unspecified" address to the default `DenyList`
2025-08-12 12:07:37 +00:00 · 2024-10-22 16:16:44 +02:00
parent fca6b28a97
commit 79fb4cc1cc
5 changed files with 95 additions and 60 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -600,7 +600,10 @@ Actions:
    # Wildcard sub domains are currently unsupported
    DenyList: # ZITADEL_ACTIONS_HTTP_DENYLIST (comma separated list)
      - localhost
-      - "127.0.0.1"
+      - "127.0.0.0/8"
+      - "::1"
+      - "0.0.0.0"
+      - "::"

 LogStore:
  Access: