fix: don't leak info from SSRF protection

GitOrigin-RevId: 49d2f068100fc87a061089e595dace8a1b6519a0

Author: alnr

driver/registry_sql_test.go

@@ -23,10 +23,10 @@ import (
 
 	"github.com/ory/hydra/v2/client"
 	"github.com/ory/hydra/v2/driver/config"
+	"github.com/ory/hydra/v2/fosite"
 	"github.com/ory/hydra/v2/persistence/sql"
 	"github.com/ory/x/configx"
 	"github.com/ory/x/dbal"
-	"github.com/ory/x/httpx"
 	"github.com/ory/x/logrusx"
 	"github.com/ory/x/popx"
 	"github.com/ory/x/randx"
@@ -39,6 +39,12 @@ func init() {
 func TestGetJWKSFetcherStrategyHostEnforcement(t *testing.T) {
 	t.Parallel()
 
+	ts := httptest.NewServer(http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		t.Fatal("Should not be called")
+		writer.WriteHeader(http.StatusOK)
+	}))
+	t.Cleanup(ts.Close)
+
 	r, err := New(t.Context(), WithAutoMigrate(), WithConfigOptions(
 		configx.WithValues(map[string]any{
 			config.KeyDSN:                         dbal.NewSQLiteTestDatabase(t),
@@ -49,8 +55,10 @@ func TestGetJWKSFetcherStrategyHostEnforcement(t *testing.T) {
 	))
 	require.NoError(t, err)
 
-	_, err = r.OAuth2Config().GetJWKSFetcherStrategy(t.Context()).Resolve(t.Context(), "http://localhost:8080", true)
-	require.ErrorAs(t, err, new(httpx.ErrPrivateIPAddressDisallowed))
+	_, err = r.OAuth2Config().GetJWKSFetcherStrategy(t.Context()).Resolve(t.Context(), ts.URL, true)
+	rfcErr, ok := errors.AsType[*fosite.RFC6749Error](err)
+	require.True(t, ok, "expected a fosite.RFC6749Error, got %T: %+v", err, err)
+	require.Contains(t, rfcErr.DebugField, "no route to host")
 }
 
 func TestRegistrySQL_newKeyStrategy_handlesNetworkError(t *testing.T) {
@@ -133,7 +141,7 @@ func TestRegistrySQL_HTTPClient(t *testing.T) {
 
 	t.Run("case=does not match exception glob", func(t *testing.T) {
 		_, err := r.HTTPClient(t.Context()).Get(ts.URL + "/foo")
-		assert.ErrorContains(t, err, "prohibited IP address")
+		assert.Error(t, err)
 	})
 }
 

oryx/httpx/private_ip_validator.go

@@ -5,6 +5,7 @@ package httpx
 
 import (
 	"context"
+	"errors"
 	"net"
 	"net/http"
 	"net/http/httptrace"
@@ -43,33 +44,12 @@ func (n noInternalIPRoundTripper) RoundTrip(request *http.Request) (*http.Respon
 }
 
 var (
-	prohibitInternalAllowIPv6 http.RoundTripper
-	allowInternalAllowIPv6    http.RoundTripper
-)
-
-func init() {
-	t, d := newDefaultTransport()
-	d.Control = ssrf.New(
+	prohibitInternalAllowIPv6 http.RoundTripper = OTELTraceTransport(ssrfTransport(
 		ssrf.WithAnyPort(),
 		ssrf.WithNetworks("tcp4", "tcp6"),
-	).Safe
-	prohibitInternalAllowIPv6 = OTELTraceTransport(t)
-}
+	))
 
-func init() {
-	t, d := newDefaultTransport()
-	d.Control = ssrf.New(
-		ssrf.WithAnyPort(),
-		ssrf.WithNetworks("tcp4"),
-	).Safe
-	t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-		return d.DialContext(ctx, "tcp4", addr)
-	}
-}
-
-func init() {
-	t, d := newDefaultTransport()
-	d.Control = ssrf.New(
+	allowInternalAllowIPv6 http.RoundTripper = OTELTraceTransport(ssrfTransport(
 		ssrf.WithAnyPort(),
 		ssrf.WithNetworks("tcp4", "tcp6"),
 		ssrf.WithAllowedV4Prefixes(
@@ -83,46 +63,64 @@ func init() {
 			netip.MustParsePrefix("::1/128"),  // Loopback (RFC 4193)
 			netip.MustParsePrefix("fc00::/7"), // Unique Local (RFC 4193)
 		),
-	).Safe
-	allowInternalAllowIPv6 = OTELTraceTransport(t)
-}
-
-func init() {
-	t, d := newDefaultTransport()
-	d.Control = ssrf.New(
-		ssrf.WithAnyPort(),
-		ssrf.WithNetworks("tcp4"),
-		ssrf.WithAllowedV4Prefixes(
-			netip.MustParsePrefix("10.0.0.0/8"),     // Private-Use (RFC 1918)
-			netip.MustParsePrefix("127.0.0.0/8"),    // Loopback (RFC 1122, Section 3.2.1.3))
-			netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
-			netip.MustParsePrefix("172.16.0.0/12"),  // Private-Use (RFC 1918)
-			netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
-		),
-		ssrf.WithAllowedV6Prefixes(
-			netip.MustParsePrefix("::1/128"),  // Loopback (RFC 4193)
-			netip.MustParsePrefix("fc00::/7"), // Unique Local (RFC 4193)
-		),
-	).Safe
-	t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-		return d.DialContext(ctx, "tcp4", addr)
-	}
-}
+	))
+)
 
-func newDefaultTransport() (*http.Transport, *net.Dialer) {
+func ssrfTransport(opt ...ssrf.Option) *http.Transport {
 	dialer := net.Dialer{
 		Timeout:   30 * time.Second,
 		KeepAlive: 30 * time.Second,
 	}
+	dialer.Control = ssrf.New(opt...).Safe
+	dial := func(ctx context.Context, network string, address string) (net.Conn, error) {
+		c, err := dialer.DialContext(ctx, network, address)
+		if err == nil {
+			return c, nil
+		}
+
+		if dnsErr, ok := errors.AsType[*net.DNSError](err); ok {
+			dnsErr.Server = "" // mask our DNS server's IP address
+			return nil, err
+		}
+
+		if !errors.Is(err, ssrf.ErrProhibitedIP) {
+			return nil, err
+		}
+
+		host, _, _ := net.SplitHostPort(address)
+		_, addrErr := netip.ParseAddrPort(address)
+		if addrErr != nil {
+			// We were given a DNS name: the error we return must look like a DNS error.
+			return nil, &net.OpError{
+				Op:   "dial",
+				Net:  network,
+				Addr: nil,
+				Err: &net.DNSError{
+					Err:         "no such host",
+					Name:        host,
+					Server:      "",
+					IsTimeout:   false,
+					IsTemporary: false,
+					IsNotFound:  true,
+				},
+			}
+		}
+		return nil, &net.OpError{
+			Op:   "dial",
+			Net:  network,
+			Addr: nil,
+			Err:  errors.New("no route to host"),
+		}
+	}
 	return &http.Transport{
 		Proxy:                 http.ProxyFromEnvironment,
-		DialContext:           dialer.DialContext,
+		DialContext:           dial,
 		ForceAttemptHTTP2:     true,
 		MaxIdleConns:          100,
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
-	}, &dialer
+	}
 }
 
 // OTELTraceTransport wraps the given http.Transport with OpenTelemetry instrumentation.

oryx/httpx/ssrf.go

@@ -31,7 +31,9 @@ func WaitForEndpointWithClient(ctx context.Context, client *http.Client, endpoin
 		if err != nil {
 			return err
 		}
-		defer res.Body.Close()
+		defer func() {
+			_ = res.Body.Close()
+		}()
 
 		body, err := io.ReadAll(res.Body)
 		if err != nil {