From 05cc0fb1dfda50e60b16cc28150d7c8c3542083c Mon Sep 17 00:00:00 2001
From: Angus Lees <gus@inodes.org>
Date: Fri, 30 Jul 2021 20:12:48 +1000
Subject: [PATCH] Reject proxy requests to 0.0.0.0 as well

---
 pkg/proxy/util/utils.go      | 2 +-
 pkg/proxy/util/utils_test.go | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/proxy/util/utils.go b/pkg/proxy/util/utils.go
index 4100a1e8bff..88ae712f901 100644
--- a/pkg/proxy/util/utils.go
+++ b/pkg/proxy/util/utils.go
@@ -97,7 +97,7 @@ func IsProxyableIP(ip string) error {
 }
 
 func isProxyableIP(ip net.IP) error {
-	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsInterfaceLocalMulticast() {
+	if !ip.IsGlobalUnicast() {
 		return ErrAddressNotAllowed
 	}
 	return nil
diff --git a/pkg/proxy/util/utils_test.go b/pkg/proxy/util/utils_test.go
index d5fced8e86f..fb6fb8e5ae1 100644
--- a/pkg/proxy/util/utils_test.go
+++ b/pkg/proxy/util/utils_test.go
@@ -103,6 +103,7 @@ func TestIsProxyableIP(t *testing.T) {
 		ip   string
 		want error
 	}{
+		{"0.0.0.0", ErrAddressNotAllowed},
 		{"127.0.0.1", ErrAddressNotAllowed},
 		{"127.0.0.2", ErrAddressNotAllowed},
 		{"169.254.169.254", ErrAddressNotAllowed},
@@ -112,6 +113,7 @@ func TestIsProxyableIP(t *testing.T) {
 		{"192.168.0.1", nil},
 		{"172.16.0.1", nil},
 		{"8.8.8.8", nil},
+		{"::", ErrAddressNotAllowed},
 		{"::1", ErrAddressNotAllowed},
 		{"fe80::", ErrAddressNotAllowed},
 		{"ff02::", ErrAddressNotAllowed},