diff --git a/agent/session/plugins/port/port.go b/agent/session/plugins/port/port.go index 799592589..09168e572 100644 --- a/agent/session/plugins/port/port.go +++ b/agent/session/plugins/port/port.go @@ -296,8 +296,17 @@ func (p *PortPlugin) validateParameters(portParameters PortParameters, config ag // Port forwarding to IMDS, VPC DNS, and local IP address is not allowed hostIPAddress := net.ParseIP(host) for _, address := range append(appConfig.Mgs.DeniedPortForwardingRemoteIPs, dnsAddress...) { - if hostIPAddress.Equal(net.ParseIP(address)) { - return errors.New(fmt.Sprintf("Forwarding to IP address %s is forbidden.", portParameters.Host)) + _, network, err := net.ParseCIDR(address) + if err != nil { + // Not a CIDR + if hostIPAddress.Equal(net.ParseIP(address)) { + return errors.New(fmt.Sprintf("Forwarding to IP address %s is forbidden.", portParameters.Host)) + } + } else { + // CIDR + if network.Contains(hostIPAddress) { + return errors.New(fmt.Sprintf("Forwarding to IP address %s is forbidden.", portParameters.Host)) + } } } } diff --git a/agent/session/plugins/port/port_test.go b/agent/session/plugins/port/port_test.go index 7d0b2c8f8..11329b5d0 100644 --- a/agent/session/plugins/port/port_test.go +++ b/agent/session/plugins/port/port_test.go @@ -334,7 +334,7 @@ func (suite *PortTestSuite) TestValidateParametersWhenDefaultDenylistHostNotAllo mockContext := &context.Mock{} suite.plugin.context = mockContext - mockContext.On("AppConfig").Return(appconfig.SsmagentConfig{Mgs: appconfig.MgsConfig{DeniedPortForwardingRemoteIPs: []string{"169.254.169.254", "fd00:ec2::254", "169.254.169.253", "fd00:ec2::253", "169.254.169.123", "169.254.169.250"}}}) + mockContext.On("AppConfig").Return(appconfig.SsmagentConfig{Mgs: appconfig.MgsConfig{DeniedPortForwardingRemoteIPs: []string{"169.254.169.254", "fd00:ec2::254", "169.254.169.253", "fd00:ec2::253", "169.254.169.123", "169.254.169.250", "10.0.0.0/16"}}}) mockContext.On("Log").Return(mockLog) err := suite.plugin.validateParameters(PortParameters{PortNumber: "80", Host: "169.254.169.253"}, configuration) @@ -349,7 +349,8 @@ func (suite *PortTestSuite) TestValidateParametersWhenDefaultDenylistHostNotAllo assert.Contains(suite.T(), err.Error(), "Forwarding to IP address 169.254.169.250 is forbidden.") err = suite.plugin.validateParameters(PortParameters{PortNumber: "80", Host: "169.254.169.123"}, configuration) assert.Contains(suite.T(), err.Error(), "Forwarding to IP address 169.254.169.123 is forbidden.") - + err = suite.plugin.validateParameters(PortParameters{PortNumber: "80", Host: "10.0.15.24"}, configuration) + assert.Contains(suite.T(), err.Error(), "Forwarding to IP address 10.0.15.24 is forbidden.") mockContext.AssertExpectations(suite.T()) } @@ -357,11 +358,13 @@ func (suite *PortTestSuite) TestValidateParametersWhenValidHostAndPort() { mockContext := &context.Mock{} suite.plugin.context = mockContext - mockContext.On("AppConfig").Return(appconfig.SsmagentConfig{Mgs: appconfig.MgsConfig{DeniedPortForwardingRemoteIPs: []string{"169.254.169.254", "fd00:ec2::254", "169.254.169.253", "fd00:ec2::253"}}}) + mockContext.On("AppConfig").Return(appconfig.SsmagentConfig{Mgs: appconfig.MgsConfig{DeniedPortForwardingRemoteIPs: []string{"169.254.169.254", "fd00:ec2::254", "169.254.169.253", "fd00:ec2::253", "10.0.0.0/16"}}}) mockContext.On("Log").Return(mockLog) err := suite.plugin.validateParameters(PortParameters{PortNumber: "80", Host: "127.0.0.1"}, configuration) assert.Nil(suite.T(), err) + err = suite.plugin.validateParameters(PortParameters{PortNumber: "80", Host: "10.1.0.4"}, configuration) + assert.Nil(suite.T(), err) mockContext.AssertExpectations(suite.T()) }