Skip to content

Don't allow loopback IP addresses for hosts #2920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gbrodman merged 1 commit into from
Jan 5, 2026
Merged

Don't allow loopback IP addresses for hosts #2920

gbrodman merged 1 commit into from
Jan 5, 2026

Conversation

@gbrodman
Copy link
Collaborator

@gbrodman gbrodman commented Jan 2, 2026
edited
Loading

I don't know where in the spec these are explicitly disallowed, but it seems like good practice and we'll fail the RST tests if we don't disallow them.

This change is Reviewable

@gbrodman gbrodman requested a review from CydeWeys January 2, 2026 23:27
CydeWeys
CydeWeys requested changes Jan 5, 2026
View reviewed changes
Copy link
Member

@CydeWeys CydeWeys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CydeWeys made 1 comment.
Reviewable status: 0 of 5 files reviewed, 1 unresolved discussion (waiting on @gbrodman).

core/src/main/java/google/registry/flows/host/HostFlowUtils.java line 116 at r1 (raw file):

  public static void validateInetAddresses(ImmutableSet<InetAddress> inetAddresses)
      throws EppException {
    if (inetAddresses == null) {

No need for this. You're always passing in a minimum of an empty set. (See implementation of getInetAddresses())

gbrodman
gbrodman commented Jan 5, 2026
View reviewed changes
Copy link
Collaborator Author

@gbrodman gbrodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gbrodman made 1 comment.
Reviewable status: 0 of 5 files reviewed, 1 unresolved discussion (waiting on @CydeWeys).

core/src/main/java/google/registry/flows/host/HostFlowUtils.java line 116 at r1 (raw file):

Previously, CydeWeys (Ben McIlwain) wrote…

No need for this. You're always passing in a minimum of an empty set. (See implementation of getInetAddresses())

sure

CydeWeys
CydeWeys reviewed Jan 5, 2026
View reviewed changes
Copy link
Member

@CydeWeys CydeWeys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CydeWeys resolved 1 discussion.
Reviewable status: 0 of 5 files reviewed, all discussions resolved.

CydeWeys
CydeWeys approved these changes Jan 5, 2026
View reviewed changes
Copy link
Member

@CydeWeys CydeWeys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CydeWeys reviewed 5 files and all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @gbrodman).

@gbrodman gbrodman enabled auto-merge January 5, 2026 19:11
@gbrodman
Don't allow loopback IP addresses for hosts
f887a50 
I don't know where in the spec these are explicitly disallowed, but it
seems like good practice and we'll fail the RST tests if we don't
disallow them.
gbrodman
gbrodman commented Jan 5, 2026
View reviewed changes
Copy link
Collaborator Author

@gbrodman gbrodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually inetAddresses can be null, e.g. https://github.com/google/nomulus/blob/master/core/src/main/java/google/registry/model/host/HostCommand.java#L57

@gbrodman made 1 comment.
Reviewable status: 4 of 5 files reviewed, all discussions resolved (waiting on @CydeWeys).

@gbrodman gbrodman added this pull request to the merge queue Jan 5, 2026
CydeWeys
CydeWeys requested changes Jan 5, 2026
View reviewed changes
Copy link
Member

@CydeWeys CydeWeys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CydeWeys made 1 comment.
Reviewable status: 4 of 5 files reviewed, 1 unresolved discussion (waiting on @gbrodman).

core/src/main/java/google/registry/flows/host/HostFlowUtils.java line 114 at r3 (raw file):

  /** Makes sure that no provided IP addresses are local / loopback addresses. */
  public static void validateInetAddresses(ImmutableSet<InetAddress> inetAddresses)

Mark param with @Nullable then.

Merged via the queue into google:master with commit 9555dca Jan 5, 2026
9 of 10 checks passed
@gbrodman gbrodman deleted the forbidLocalhost branch January 5, 2026 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CydeWeys CydeWeys CydeWeys requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gbrodman @CydeWeys