mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:01:31 +00:00
shankar0123
21aeed4f4e
Phase 0 closure (Path B2, post-rewrite):
addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:
// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).
Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.
Generated via:
addlicense -c "certctl LLC" -y 2026 \
-f cowork/legal/copyright-header.tpl \
-ignore '**/testdata/**' -ignore '**/*_test.go' \
cmd/ internal/
Verification:
find cmd internal -name '*.go' -not -name '*_test.go' \
-not -path '*/testdata/*' \
-exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l
Returns: 0
gofmt clean. Header additions are comments only, no compile impact.
Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
227 lines
7.9 KiB
Go
227 lines
7.9 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package validation
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// IsReservedIP reports whether the given IP falls inside a range that
|
|
// outbound HTTP egress (and the network-scanner CIDR expander) MUST treat
|
|
// as unreachable: loopback, link-local (including cloud-provider metadata
|
|
// endpoints at 169.254.169.254), multicast, and broadcast.
|
|
//
|
|
// RFC 1918 ranges (10/8, 172.16/12, 192.168/16) are intentionally NOT
|
|
// treated as reserved. certctl is designed to manage certificates inside
|
|
// private networks and filtering private address space would break the
|
|
// primary use case. The threat model here is outbound HTTP to
|
|
// cloud-metadata or localhost services, not general network reachability.
|
|
//
|
|
// This function is byte-identical in behaviour to the previous unexported
|
|
// copy in internal/service/network_scan.go. It is exported here so both
|
|
// the network scanner and the webhook notifier share a single
|
|
// authoritative implementation. Broader IPv6 coverage and unspecified-
|
|
// address handling live in SafeHTTPDialContext, where stricter policy is
|
|
// appropriate for outbound HTTP egress.
|
|
func IsReservedIP(ip net.IP) bool {
|
|
// Loopback: 127.0.0.0/8 (and ::1 via IsLoopback).
|
|
if ip.IsLoopback() {
|
|
return true
|
|
}
|
|
|
|
// Link-local: 169.254.0.0/16 (includes cloud metadata 169.254.169.254).
|
|
if linkLocal := net.ParseIP("169.254.0.0"); linkLocal != nil {
|
|
if _, linkLocalNet, _ := net.ParseCIDR("169.254.0.0/16"); linkLocalNet != nil {
|
|
if linkLocalNet.Contains(ip) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
// Multicast: 224.0.0.0/4.
|
|
if multicast := net.ParseIP("224.0.0.0"); multicast != nil {
|
|
if _, multicastNet, _ := net.ParseCIDR("224.0.0.0/4"); multicastNet != nil {
|
|
if multicastNet.Contains(ip) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
// Broadcast: 255.255.255.255.
|
|
if ip.String() == "255.255.255.255" {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// IsReservedIPForDial applies IsReservedIP plus additional ranges that are
|
|
// meaningful for outbound HTTP egress but were not part of the original
|
|
// network-scanner filter: the unspecified address (0.0.0.0 / ::) and IPv6
|
|
// link-local / multicast ranges. The Phase 3 ACME HTTP-01 validator
|
|
// (internal/api/acme/validators.go) reuses this same gate so HTTP-01
|
|
// fetches can't be turned into an SSRF primitive against private-IP
|
|
// space.
|
|
func IsReservedIPForDial(ip net.IP) bool {
|
|
return isReservedIPForDial(ip)
|
|
}
|
|
|
|
// isReservedIPForDial is kept as the package-private implementation so
|
|
// every existing call site (the network scanner + ValidateSafeURL +
|
|
// the SafeHTTPDial-test helpers) stays byte-identical. The exported
|
|
// wrapper IsReservedIPForDial above is the one new callers (Phase 3
|
|
// ACME HTTP-01 validator) take.
|
|
func isReservedIPForDial(ip net.IP) bool {
|
|
if ip == nil {
|
|
return true
|
|
}
|
|
if IsReservedIP(ip) {
|
|
return true
|
|
}
|
|
if ip.IsUnspecified() {
|
|
return true
|
|
}
|
|
// IPv6 link-local fe80::/10.
|
|
if _, n, err := net.ParseCIDR("fe80::/10"); err == nil && n.Contains(ip) {
|
|
return true
|
|
}
|
|
// IPv6 multicast ff00::/8.
|
|
if _, n, err := net.ParseCIDR("ff00::/8"); err == nil && n.Contains(ip) {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// ValidateSafeURL parses rawURL and rejects anything that would let an
|
|
// attacker aim an outbound HTTP client at a SSRF-sensitive destination
|
|
// (CWE-918). Guards enforced:
|
|
//
|
|
// 1. The scheme must be http or https. Schemes like file://, gopher://,
|
|
// ftp://, data:, javascript:, ldap://, and dict:// are rejected outright;
|
|
// webhook delivery only speaks HTTP(S).
|
|
// 2. A hostname must be present. Empty-host URLs like "http:///foo" are
|
|
// rejected to prevent ambiguous defaulting.
|
|
// 3. If the host is a literal IP address, the IP must not be reserved
|
|
// (see isReservedIPForDial). This stops the obvious 127.0.0.1 / ::1 /
|
|
// 169.254.169.254 / 0.0.0.0 attacks at config time.
|
|
// 4. If the host is a DNS name and resolution succeeds, every resolved
|
|
// A/AAAA record must be non-reserved. A single reserved result is
|
|
// enough to reject. Resolution failure is tolerated (offline CI
|
|
// environments, short-lived test servers) — the authoritative
|
|
// enforcement runs at dial time anyway.
|
|
//
|
|
// The DNS resolution check here is a best-effort early diagnostic. The
|
|
// authoritative, TOCTOU-safe enforcement is SafeHTTPDialContext, which
|
|
// re-checks after resolution at dial time and defeats DNS rebinding.
|
|
// Callers that need SSRF-safe HTTP egress should use BOTH
|
|
// ValidateSafeURL (at config ingestion) AND SafeHTTPDialContext
|
|
// (installed on http.Transport).
|
|
func ValidateSafeURL(rawURL string) error {
|
|
if rawURL == "" {
|
|
return fmt.Errorf("url is required")
|
|
}
|
|
|
|
u, err := url.Parse(rawURL)
|
|
if err != nil {
|
|
return fmt.Errorf("invalid url: %w", err)
|
|
}
|
|
|
|
scheme := strings.ToLower(u.Scheme)
|
|
if scheme != "http" && scheme != "https" {
|
|
return fmt.Errorf("url scheme %q is not allowed; only http and https are permitted", u.Scheme)
|
|
}
|
|
|
|
host := u.Hostname()
|
|
if host == "" {
|
|
return fmt.Errorf("url must include a host")
|
|
}
|
|
|
|
// Literal IP? Reject if reserved (strict policy for outbound egress).
|
|
if ip := net.ParseIP(host); ip != nil {
|
|
if isReservedIPForDial(ip) {
|
|
return fmt.Errorf("url host resolves to a reserved address and cannot be used")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DNS name. Resolve and reject if any answer is reserved.
|
|
ips, err := net.LookupIP(host)
|
|
if err != nil {
|
|
// Resolution failure is not itself a SSRF signal; let the dial-time
|
|
// DialContext handle the final decision. This keeps the validator
|
|
// tolerant of offline validation environments (CI, tests) while
|
|
// still blocking clearly-bad literal-IP URLs above.
|
|
return nil
|
|
}
|
|
for _, ip := range ips {
|
|
if isReservedIPForDial(ip) {
|
|
return fmt.Errorf("url host resolves to a reserved address and cannot be used")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SafeHTTPDialContext returns a DialContext function suitable for
|
|
// installing on an http.Transport. Every dial attempt resolves the host
|
|
// again and rejects any connection whose resolved IP lies inside a
|
|
// reserved range. This is the authoritative SSRF / DNS-rebinding guard:
|
|
// even if ValidateSafeURL was bypassed, or if DNS changed between
|
|
// validation and dial, the outbound connection will fail closed.
|
|
//
|
|
// The timeout argument bounds both the resolution and the underlying TCP
|
|
// dial. Pass 0 to use a sensible default (10s).
|
|
func SafeHTTPDialContext(timeout time.Duration) func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
if timeout <= 0 {
|
|
timeout = 10 * time.Second
|
|
}
|
|
dialer := &net.Dialer{
|
|
Timeout: timeout,
|
|
KeepAlive: 30 * time.Second,
|
|
}
|
|
return func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
host, port, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid dial address %q: %w", addr, err)
|
|
}
|
|
|
|
// If the host is already a literal IP, check it directly.
|
|
if ip := net.ParseIP(host); ip != nil {
|
|
if isReservedIPForDial(ip) {
|
|
return nil, fmt.Errorf("refusing to dial reserved address %s", ip.String())
|
|
}
|
|
return dialer.DialContext(ctx, network, addr)
|
|
}
|
|
|
|
// Resolve and reject any answer that lands in a reserved range.
|
|
// We then dial an explicit resolved IP so a racing DNS change
|
|
// cannot substitute a different (and possibly reserved) answer
|
|
// between our check and the actual TCP dial.
|
|
resCtx, cancel := context.WithTimeout(ctx, timeout)
|
|
defer cancel()
|
|
ips, err := (&net.Resolver{}).LookupIP(resCtx, "ip", host)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("resolve %s: %w", host, err)
|
|
}
|
|
if len(ips) == 0 {
|
|
return nil, fmt.Errorf("no addresses found for %s", host)
|
|
}
|
|
for _, ip := range ips {
|
|
if isReservedIPForDial(ip) {
|
|
return nil, fmt.Errorf("refusing to dial %s: resolves to reserved address %s", host, ip.String())
|
|
}
|
|
}
|
|
|
|
// Dial the first non-reserved resolved IP directly, pinning the
|
|
// target so later DNS changes cannot redirect us.
|
|
pinned := net.JoinHostPort(ips[0].String(), port)
|
|
return dialer.DialContext(ctx, network, pinned)
|
|
}
|
|
}
|