diff --git a/internal/fields/_static/allowed_geo_ips.txt b/internal/fields/_static/allowed_geo_ips.txt index 59140eeb2..c3aa0d049 100644 --- a/internal/fields/_static/allowed_geo_ips.txt +++ b/internal/fields/_static/allowed_geo_ips.txt @@ -8,3 +8,23 @@ 89.160.20.128/25 67.43.156.0/24 2a02:cf40::/29 +1.1.1.1/32 +1.1.1.2/32 +1.1.1.3/32 +1.0.0.1/32 +1.0.0.2/32 +1.0.0.3/32 +2606:4700:4700::1111/128 +2606:4700:4700::1112/128 +2606:4700:4700::1113/128 +2606:4700:4700::1001/128 +2606:4700:4700::1002/128 +2606:4700:4700::1003/128 +2606:4700:4700::64/128 +2606:4700:4700::6400/128 +8.8.8.8/32 +8.8.4.4/32 +2001:4860:4860::8888/128 +2001:4860:4860::8844/128 +2001:4860:4860::64/128 +2001:4860:4860::6464/128 diff --git a/internal/fields/validate.go b/internal/fields/validate.go index 76eb564a3..30ed5dba6 100644 --- a/internal/fields/validate.go +++ b/internal/fields/validate.go @@ -214,6 +214,25 @@ func initializeAllowedCIDRsList() (cidrs []*net.IPNet) { return cidrs } +// IsDocumentation reports whether ip is a reserved address for documentation, +// according to RFC 5737 (IPv4 Address Blocks Reserved for Documentation) and +// RFC 3849 (IPv6 Address Prefix Reserved for Documentation). +func IsDocumentation(ip net.IP) bool { + if ip4 := ip.To4(); ip4 != nil { + // Following RFC 5737, Section 3. Documentation Address Blocks which says: + // The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), + // and 203.0.113.0/24 (TEST-NET-3) are provided for use in + // documentation. + return ((ip4[0] == 192 && ip4[1] == 0 && ip4[2] == 2) || + (ip4[0] == 198 && ip4[1] == 51 && ip4[2] == 100) || + (ip4[0] == 203 && ip4[1] == 0 && ip4[2] == 113)) + } + // Following RFC 3849, Section 2. Documentation IPv6 Address Prefix which + // says: + // The prefix allocated for documentation purposes is 2001:DB8::/32 + return len(ip) == net.IPv6len && ip[0] == 32 && ip[1] == 1 && ip[2] == 13 && ip[3] == 184 +} + func loadFieldsFromDir(fieldsDir string) ([]FieldDefinition, error) { files, err := filepath.Glob(filepath.Join(fieldsDir, "*.yml")) if err != nil { @@ -648,6 +667,7 @@ func (v *Validator) isAllowedIPValue(s string) bool { if ip.IsUnspecified() || ip.IsPrivate() || + IsDocumentation(ip) || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() ||