fix(portal): Prevent upstream DNS config from using sentinel CIDR ranges (#7010)

Closes #6962
2026-01-27 10:18:54 +00:00 · 2024-10-11 14:15:29 -07:00
parent f1cd137e24
commit 7838da9739
2 changed files with 52 additions and 0 deletions
--- a/elixir/apps/domain/lib/domain/accounts/config/changeset.ex
+++ b/elixir/apps/domain/lib/domain/accounts/config/changeset.ex
@@ -60,6 +60,7 @@ defmodule Domain.Accounts.Config.Changeset do
      message: "this type of DNS provider is not supported yet"
    )
    |> validate_address()
+    |> validate_reserved_ip_exclusion()
  end

  defp validate_address(changeset) do
@@ -82,6 +83,17 @@ defmodule Domain.Accounts.Config.Changeset do
    end)
  end

+  defp validate_reserved_ip_exclusion(changeset) do
+    if has_errors?(changeset, :address) do
+      changeset
+    else
+      Domain.Network.reserved_cidrs()
+      |> Enum.reduce(changeset, fn {_type, cidr}, changeset ->
+        validate_not_in_cidr(changeset, :address, cidr)
+      end)
+    end
+  end
+
  def notifications_changeset(notifications, attrs) do
    notifications
    |> cast(attrs, [])
--- a/elixir/apps/domain/test/domain/accounts_test.exs
+++ b/elixir/apps/domain/test/domain/accounts_test.exs
@@ -482,6 +482,46 @@ defmodule Domain.AccountsTest do
             }
    end

+    test "returns error on dns config address in IPv4 sentinel range", %{account: account} do
+      attrs = %{
+        config: %{
+          clients_upstream_dns: [
+            %{protocol: "ip_port", address: "100.64.10.1"}
+          ]
+        }
+      }
+
+      assert {:error, changeset} = update_account_by_id(account.id, attrs)
+
+      assert errors_on(changeset) == %{
+               config: %{
+                 clients_upstream_dns: [
+                   %{address: ["cannot be in the CIDR 100.64.0.0/10"]}
+                 ]
+               }
+             }
+    end
+
+    test "returns error on dns config address in IPv6 sentinel range", %{account: account} do
+      attrs = %{
+        config: %{
+          clients_upstream_dns: [
+            %{protocol: "ip_port", address: "fd00:2021:1111:10::"}
+          ]
+        }
+      }
+
+      assert {:error, changeset} = update_account_by_id(account.id, attrs)
+
+      assert errors_on(changeset) == %{
+               config: %{
+                 clients_upstream_dns: [
+                   %{address: ["cannot be in the CIDR fd00:2021:1111::/48"]}
+                 ]
+               }
+             }
+    end
+
    test "updates account and broadcasts a message", %{account: account} do
      Bypass.open()
      |> Domain.Mocks.Stripe.mock_update_customer_endpoint(account)