fix: scope Telegram RFC2544 SSRF exception to policy opt-in (#24982) (thanks @stakeswky)

2026-05-10 06:22:42 +00:00 · 2026-02-24 03:27:40 +00:00
parent 9df80b73e2
commit 3af9d1f8e9
8 changed files with 72 additions and 43 deletions
--- a/src/infra/net/ssrf.pinning.test.ts
+++ b/src/infra/net/ssrf.pinning.test.ts
@@ -51,17 +51,26 @@ describe("ssrf pinning", () => {

  it.each([
    { name: "RFC1918 private address", address: "10.0.0.8" },
+    { name: "RFC2544 benchmarking range", address: "198.18.0.1" },
    { name: "TEST-NET-2 reserved range", address: "198.51.100.1" },
  ])("rejects blocked DNS results: $name", async ({ address }) => {
    const lookup = vi.fn(async () => [{ address, family: 4 }]) as unknown as LookupFn;
    await expect(resolvePinnedHostname("example.com", lookup)).rejects.toThrow(/private|internal/i);
  });

-  it("allows RFC2544 benchmark range addresses (used by Telegram)", async () => {
+  it("allows RFC2544 benchmark range addresses only when policy explicitly opts in", async () => {
    const lookup = vi.fn(async () => [
      { address: "198.18.0.153", family: 4 },
    ]) as unknown as LookupFn;
-    const pinned = await resolvePinnedHostname("api.telegram.org", lookup);
+
+    await expect(resolvePinnedHostname("api.telegram.org", lookup)).rejects.toThrow(
+      /private|internal/i,
+    );
+
+    const pinned = await resolvePinnedHostnameWithPolicy("api.telegram.org", {
+      lookupFn: lookup,
+      policy: { allowRfc2544BenchmarkRange: true },
+    });
    expect(pinned.addresses).toContain("198.18.0.153");
  });