fix: correctly check denied domains and ips for actions (#8810)

# Which Problems Are Solved System administrators can block hosts and IPs for HTTP calls in actions. Using DNS, blocked IPs could be bypassed. # How the Problems Are Solved - Hosts are resolved (DNS lookup) to check whether their corresponding IP is blocked. # Additional Changes - Added complete lookup ip address range and "unspecified" address to the default `DenyList` (cherry picked from commit 79fb4cc1cc)
2025-08-25 12:58:01 +00:00 · 2024-10-22 16:16:44 +02:00
parent b1d0813905
commit b86847157f
5 changed files with 95 additions and 60 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -600,7 +600,10 @@ Actions:
    # Wildcard sub domains are currently unsupported
    DenyList: # ZITADEL_ACTIONS_HTTP_DENYLIST (comma separated list)
      - localhost
-      - "127.0.0.1"
+      - "127.0.0.0/8"
+      - "::1"
+      - "0.0.0.0"
+      - "::"

 LogStore:
  Access:
--- a/cmd/start/config_test.go
+++ b/cmd/start/config_test.go
@@ -47,9 +47,9 @@ Log:
 `},
 		want: func(t *testing.T, config *Config) {
 			assert.Equal(t, config.Actions.HTTP.DenyList, []actions.AddressChecker{
-				&actions.DomainChecker{Domain: "localhost"},
-				&actions.IPChecker{IP: net.ParseIP("127.0.0.1")},
-				&actions.DomainChecker{Domain: "foobar"}})
+				&actions.HostChecker{Domain: "localhost"},
+				&actions.HostChecker{IP: net.ParseIP("127.0.0.1")},
+				&actions.HostChecker{Domain: "foobar"}})
 		},
 	}, {
 		name: "actions deny list string ok",
@@ -63,9 +63,9 @@ Log:
 `},
 		want: func(t *testing.T, config *Config) {
 			assert.Equal(t, config.Actions.HTTP.DenyList, []actions.AddressChecker{
-				&actions.DomainChecker{Domain: "localhost"},
-				&actions.IPChecker{IP: net.ParseIP("127.0.0.1")},
-				&actions.DomainChecker{Domain: "foobar"}})
+				&actions.HostChecker{Domain: "localhost"},
+				&actions.HostChecker{IP: net.ParseIP("127.0.0.1")},
+				&actions.HostChecker{Domain: "foobar"}})
 		},
 	}, {
 		name: "features ok",