Fix parsing ipv6 address with scope id (#1841)

* Fix parsing ipv6 address with scope id Also allows connections from link local unicast address * Add unit tests
2025-12-17 20:34:37 +03:00 · 2021-10-20 16:52:15 +11:00
parent 8b7720e3bf
commit 976038424b
3 changed files with 220 additions and 1 deletions
--- a/pkg/session/authentication.go
+++ b/pkg/session/authentication.go
@@ -29,7 +29,16 @@ func CheckAllowPublicWithoutAuth(c *config.Instance, r *http.Request) error {
 			return fmt.Errorf("error parsing remote host (%s): %w", r.RemoteAddr, err)
 		}

+		// presence of scope ID in IPv6 addresses prevents parsing. Remove if present
+		scopeIDIndex := strings.Index(requestIPString, "%")
+		if scopeIDIndex != -1 {
+			requestIPString = requestIPString[0:scopeIDIndex]
+		}
+
 		requestIP := net.ParseIP(requestIPString)
+		if requestIP == nil {
+			return fmt.Errorf("unable to parse remote host (%s)", requestIPString)
+		}

 		if r.Header.Get("X-FORWARDED-FOR") != "" {
 			// Request was proxied
@@ -92,7 +101,7 @@ func CheckExternalAccessTripwire(c *config.Instance) *ExternalAccessError {

 func isLocalIP(requestIP net.IP) bool {
 	_, cgNatAddrSpace, _ := net.ParseCIDR("100.64.0.0/10")
-	return requestIP.IsPrivate() || requestIP.IsLoopback() || cgNatAddrSpace.Contains(requestIP)
+	return requestIP.IsPrivate() || requestIP.IsLoopback() || requestIP.IsLinkLocalUnicast() || cgNatAddrSpace.Contains(requestIP)
 }

 func isIPTrustedProxy(ip net.IP, trustedProxies []string) bool {