cybersecurity · intermediate · ~20 min
The SSRF allow-list pattern: refuse internal addresses.
Given an IPv4 address as four unsigned char octets, determine whether
it falls into any of these reserved ranges (which a public-facing service
should NEVER fetch from):
10.0.0.0/8 (RFC 1918 private)127.0.0.0/8 (loopback)169.254.0.0/16 (link-local)172.16.0.0/12 (RFC 1918 private)192.168.0.0/16 (RFC 1918 private)224.0.0.0/4 (multicast)Implement int is_internal_ipv4(unsigned char a, unsigned char b, unsigned char c, unsigned char d)
returning 1 if the address falls in any of the above ranges, 0 otherwise.
A web app that fetches a user-supplied URL is the textbook SSRF target. Resolving the host and refusing internal-range results closes the class.
4 octets.
0/1.
Pure logic; no DNS.
int is_internal_ipv4(unsigned char a, unsigned char b, unsigned char c, unsigned char d) { /* TODO */ (void)a; (void)b; (void)c; (void)d; return 0; }
Forgetting 172.16/12 is only the 16..31 range of the second octet, not 16-32.
Boundary: 172.16.0.0, 172.31.255.255, 172.32.0.0 (just outside). 224.0.0.0 multicast boundary.
O(1).
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.