Merge pull request #142 from step-security/int

Address issues running on devspaces
step-security · Jan 4, 2022 · d444089 · d444089
2 parents 0ff42ee + 928bd53
commit d444089
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 1 deletion.
diff --git a/dnsproxy.go b/dnsproxy.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"math"
+	"strings"
 	"sync"
 
 	"github.com/miekg/dns"
@@ -154,6 +155,11 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 	}
 
 	if proxy.EgressPolicy == EgressPolicyBlock {
+		if strings.HasSuffix(domain, ".internal.") || strings.HasSuffix(domain, ".internal.cloudapp.net.") {
+			go WriteLog(fmt.Sprintf("unable to resolve internal domains: %s", domain))
+			return "", fmt.Errorf("cannot resolve internal domains")
+		}
+
 		if !proxy.isAllowedDomain(domain) {
 			go WriteLog(fmt.Sprintf("domain not allowed: %s", domain))
 			go WriteAnnotation(fmt.Sprintf("DNS resolution for domain %s was blocked", domain))
@@ -170,6 +176,7 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 
 	answer, err := proxy.ResolveDomain(domain)
 	if err != nil {
+		go WriteLog(fmt.Sprintf("unable to resolve domain: %s", domain))
 		return "", fmt.Errorf("error in response from dns.google %v", err)
 	}
 

diff --git a/eventhandler.go b/eventhandler.go
@@ -31,7 +31,7 @@ type EventHandler struct {
 	procMutex            sync.RWMutex
 }
 
-var classAPrivateSubnet, classBPrivateSubnet, classCPrivateSubnet, loopBackSubnet *net.IPNet
+var classAPrivateSubnet, classBPrivateSubnet, classCPrivateSubnet, loopBackSubnet, ipv6LinkLocalSubnet, ipv6LocalSubnet *net.IPNet
 
 func (eventHandler *EventHandler) handleFileEvent(event *Event) {
 	eventHandler.fileMutex.Lock()
@@ -239,6 +239,11 @@ func (eventHandler *EventHandler) GetToolChain(ppid, exe string) *Tool {
 }
 
 func isPrivateIPAddress(ipAddress string) bool {
+
+	if ipAddress == AllZeros {
+		return true
+	}
+
 	if classAPrivateSubnet == nil {
 		_, classAPrivateSubnet, _ = net.ParseCIDR(classAPrivateAddressRange)
 	}
@@ -251,6 +256,12 @@ func isPrivateIPAddress(ipAddress string) bool {
 	if loopBackSubnet == nil {
 		_, loopBackSubnet, _ = net.ParseCIDR(loopBackAddressRange)
 	}
+	if ipv6LinkLocalSubnet == nil {
+		_, ipv6LinkLocalSubnet, _ = net.ParseCIDR(ipv6LinkLocalAddressRange)
+	}
+	if ipv6LocalSubnet == nil {
+		_, ipv6LocalSubnet, _ = net.ParseCIDR(ipv6LocalAddressRange)
+	}
 
 	ip := net.ParseIP(ipAddress)
 
@@ -270,5 +281,18 @@ func isPrivateIPAddress(ipAddress string) bool {
 		return true
 	}
 
+	if ipv6LinkLocalSubnet.Contains(ip) {
+		return true
+	}
+
+	if ipv6LocalSubnet.Contains(ip) {
+		return true
+	}
+
+	// https://gist.github.com/nanmu42/9c8139e15542b3c4a1709cb9e9ac61eb
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return true
+	}
+
 	return false
 }
diff --git a/firewall.go b/firewall.go
@@ -27,9 +27,12 @@ const (
 	classAPrivateAddressRange = "10.0.0.0/8"
 	classBPrivateAddressRange = "172.16.0.0/12"
 	classCPrivateAddressRange = "192.168.0.0/16"
+	ipv6LinkLocalAddressRange = "fe80::/10"
+	ipv6LocalAddressRange     = "fc00::/7"
 	loopBackAddressRange      = "127.0.0.0/8"
 	AzureIPAddress            = "168.63.129.16"
 	MetadataIPAddress         = "169.254.169.254"
+	AllZeros                  = "0.0.0.0"
 )
 
 type ipAddressEndpoint struct {