Too easy to avoid hostname blocklist in safe_requests

[tjs-intel]

Need to harden against all possible permutations allowed by inet_aton https://linux.die.net/man/3/inet_aton. Should be easiest to attempt to parse the host with inet_aton and check the resulting integer.

[tjs-intel]

@drdavella

[tjs-intel]

There's actually a large number of ways to express 192.168.1.1 as a valid IPv4 address. Here's a small sample of IP addresses that all resolve to 192.168.1.1:

192.168.257
192.11010305
0xC0.168.1.1
192.168.0x101
0300.168.0401
0xC0.052000401

https://linux.die.net/man/3/inet_aton

The address supplied in cp can have one of the following forms: a.b.c.d, a.b.c, a.b, a
In all of the above forms, components of the dotted address can be specified in decimal, octal (with a leading 0), or hexadecimal, with a leading 0X).

[drdavella]

@tjs-intel thanks this is also extremely helpful feedback. It would be good to see whether there's some prior art for this kind of thing or whether we should just build it ourselves.

[tjs-intel]

The C implementation of inet_aton can be accessed via socket.inet_aton.

But you could also enforce that the IPv4 address conforms to the 4-part dotted decimal format, and raise some kind of exception if it doesn't.

[drdavella]

But you could also enforce that the IPv4 address conforms to the 4-part dotted decimal format, and raise some kind of exception if it doesn't.

That seems reasonable to me; @matt- any thoughts?

[tjs-intel]

For your consideration https://github.com/stripe/smokescreen

[drdavella]

@tjs-intel this is pretty interesting! It would be cool if there were Python bindings or if a similar project existed for native Python. In either case maybe we can use it for inspiration here.