private_address_check icon indicating copy to clipboard operation
private_address_check copied to clipboard

Published 20 hours ago verified publisher icon jtdowney

Raise PrivateAddressCheck::PrivateConnectionAttemptedError even when host is missing

Open bwillis opened this issue 6 years ago • 2 comments

In fixing the TOC TOU issue the behavior changed in checking addresses. It now will only fail when the server exists. This seems less ideal because assuming the errors are show back to the user, it can reveal what server/ports are locally. For example, a user could enumerate the localhost ports and based on what is "Not Found" vs "Not allowed to use a private address" would leak information about the system.

I feel like this should be handled by the gem, but if not, I can catch this locally around the private_address_check's and cover my use case.

bwillis avatar Jun 12 '18 00:06 bwillis

@jtdowney thoughts on this?

reedloden avatar Jun 13 '18 16:06 reedloden

This would be really great to get merged in!

slavingia avatar Jun 19 '18 17:06 slavingia