fix(security): restrict canvas IP-based auth to private networks (#14661)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 9e4e1aca4a Co-authored-by: sumleo <29517764+sumleo@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete
2026-05-08 08:41:23 +00:00 · 2026-02-14 00:13:31 +08:00
parent e665d77917
commit 14fc742000
5 changed files with 133 additions and 12 deletions
--- a/src/gateway/net.test.ts
+++ b/src/gateway/net.test.ts
@@ -1,6 +1,10 @@
 import os from "node:os";
 import { afterEach, describe, expect, it, vi } from "vitest";
-import { pickPrimaryLanIPv4, resolveGatewayListenHosts } from "./net.js";
+import {
+  isPrivateOrLoopbackAddress,
+  pickPrimaryLanIPv4,
+  resolveGatewayListenHosts,
+} from "./net.js";

 describe("resolveGatewayListenHosts", () => {
  it("returns the input host when not loopback", async () => {
@@ -77,3 +81,35 @@ describe("pickPrimaryLanIPv4", () => {
    expect(pickPrimaryLanIPv4()).toBeUndefined();
  });
 });
+
+describe("isPrivateOrLoopbackAddress", () => {
+  it("accepts loopback, private, link-local, and cgnat ranges", () => {
+    const accepted = [
+      "127.0.0.1",
+      "::1",
+      "10.1.2.3",
+      "172.16.0.1",
+      "172.31.255.254",
+      "192.168.0.1",
+      "169.254.10.20",
+      "100.64.0.1",
+      "100.127.255.254",
+      "::ffff:100.100.100.100",
+      "fc00::1",
+      "fd12:3456:789a::1",
+      "fe80::1",
+      "fe9a::1",
+      "febb::1",
+    ];
+    for (const ip of accepted) {
+      expect(isPrivateOrLoopbackAddress(ip)).toBe(true);
+    }
+  });
+
+  it("rejects public addresses", () => {
+    const rejected = ["1.1.1.1", "8.8.8.8", "172.32.0.1", "203.0.113.10", "2001:4860:4860::8888"];
+    for (const ip of rejected) {
+      expect(isPrivateOrLoopbackAddress(ip)).toBe(false);
+    }
+  });
+});