From 7838da973978ca8658912b82ad91a504a870f415 Mon Sep 17 00:00:00 2001
From: Brian Manifold <bmanifold@users.noreply.github.com>
Date: Fri, 11 Oct 2024 14:15:29 -0700
Subject: [PATCH] fix(portal): Prevent upstream DNS config from using sentinel
 CIDR ranges (#7010)

Closes #6962
---
 .../lib/domain/accounts/config/changeset.ex   | 12 ++++++
 .../apps/domain/test/domain/accounts_test.exs | 40 +++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/elixir/apps/domain/lib/domain/accounts/config/changeset.ex b/elixir/apps/domain/lib/domain/accounts/config/changeset.ex
index 82daae5f1..a926c9450 100644
--- a/elixir/apps/domain/lib/domain/accounts/config/changeset.ex
+++ b/elixir/apps/domain/lib/domain/accounts/config/changeset.ex
@@ -60,6 +60,7 @@ defmodule Domain.Accounts.Config.Changeset do
       message: "this type of DNS provider is not supported yet"
     )
     |> validate_address()
+    |> validate_reserved_ip_exclusion()
   end
 
   defp validate_address(changeset) do
@@ -82,6 +83,17 @@ defmodule Domain.Accounts.Config.Changeset do
     end)
   end
 
+  defp validate_reserved_ip_exclusion(changeset) do
+    if has_errors?(changeset, :address) do
+      changeset
+    else
+      Domain.Network.reserved_cidrs()
+      |> Enum.reduce(changeset, fn {_type, cidr}, changeset ->
+        validate_not_in_cidr(changeset, :address, cidr)
+      end)
+    end
+  end
+
   def notifications_changeset(notifications, attrs) do
     notifications
     |> cast(attrs, [])
diff --git a/elixir/apps/domain/test/domain/accounts_test.exs b/elixir/apps/domain/test/domain/accounts_test.exs
index e694b91b6..566f62c55 100644
--- a/elixir/apps/domain/test/domain/accounts_test.exs
+++ b/elixir/apps/domain/test/domain/accounts_test.exs
@@ -482,6 +482,46 @@ defmodule Domain.AccountsTest do
              }
     end
 
+    test "returns error on dns config address in IPv4 sentinel range", %{account: account} do
+      attrs = %{
+        config: %{
+          clients_upstream_dns: [
+            %{protocol: "ip_port", address: "100.64.10.1"}
+          ]
+        }
+      }
+
+      assert {:error, changeset} = update_account_by_id(account.id, attrs)
+
+      assert errors_on(changeset) == %{
+               config: %{
+                 clients_upstream_dns: [
+                   %{address: ["cannot be in the CIDR 100.64.0.0/10"]}
+                 ]
+               }
+             }
+    end
+
+    test "returns error on dns config address in IPv6 sentinel range", %{account: account} do
+      attrs = %{
+        config: %{
+          clients_upstream_dns: [
+            %{protocol: "ip_port", address: "fd00:2021:1111:10::"}
+          ]
+        }
+      }
+
+      assert {:error, changeset} = update_account_by_id(account.id, attrs)
+
+      assert errors_on(changeset) == %{
+               config: %{
+                 clients_upstream_dns: [
+                   %{address: ["cannot be in the CIDR fd00:2021:1111::/48"]}
+                 ]
+               }
+             }
+    end
+
     test "updates account and broadcasts a message", %{account: account} do
       Bypass.open()
       |> Domain.Mocks.Stripe.mock_update_customer_endpoint(account)