From 37a2570643abcf938201767540a9d057946e5c3c Mon Sep 17 00:00:00 2001
From: Neel Chauhan <neel@neelc.org>
Date: Mon, 14 Oct 2024 08:40:41 -0400
Subject: [PATCH] Block remote IPs and not just hostnames

---
 proxy/lib/snowflake.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/proxy/lib/snowflake.go b/proxy/lib/snowflake.go
index d408c89..6fcc46d 100644
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@@ -690,9 +690,15 @@ func checkIsRelayURLAcceptable(
 	}
 	if !allowPrivateIPs {
 		hostname := parsedRelayURL.Hostname()
+		ipArray, _ := net.LookupIP(hostname)
 		if isHostnameLocal(hostname) {
 			return fmt.Errorf("rejected Relay URL: private hostnames are not allowed")
 		}
+		for _, ip := range ipArray {
+			if !isRemoteAddress(ip) {
+				return fmt.Errorf("rejected Relay URL: private IPs are not allowed")
+			}
+		}
 		ip := net.ParseIP(hostname)
 		// Otherwise it's a domain name, or an invalid IP.
 		if ip != nil {