From f1e9f58b47152a78e73138d88055551a05d70250 Mon Sep 17 00:00:00 2001
From: Neel Chauhan <neel@neelc.org>
Date: Thu, 17 Oct 2024 19:24:34 -0400
Subject: [PATCH] Move IP check

---
 proxy/lib/snowflake.go | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/proxy/lib/snowflake.go b/proxy/lib/snowflake.go
index 483a5e0..a90ea65 100644
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@@ -674,15 +674,6 @@ func checkIsRelayURLAcceptable(
 		if util.IsHostnameLocal(hostname) {
 			return fmt.Errorf("rejected Relay URL: private hostnames are not allowed")
 		}
-		ipArray, err := net.LookupIP(hostname)
-		if err != nil {
-			return fmt.Errorf("Could not look up IP")
-		}
-		for _, ip := range ipArray {
-			if !isRemoteAddress(ip) {
-				return fmt.Errorf("rejected Relay URL: private IPs are not allowed")
-			}
-		}
 		ip := net.ParseIP(hostname)
 		// Otherwise it's a domain name, or an invalid IP.
 		if ip != nil {
@@ -691,8 +682,16 @@ func checkIsRelayURLAcceptable(
 				return fmt.Errorf("rejected Relay URL: private IPs are not allowed")
 			}
 		} else {
-            // move net.LookupIP(hostname) and isRemoteAddress checks here
-        }
+			ipArray, err := net.LookupIP(hostname)
+			if err != nil {
+				return fmt.Errorf("Could not look up IP")
+			}
+			for _, ip := range ipArray {
+				if !isRemoteAddress(ip) {
+					return fmt.Errorf("rejected Relay URL: private IPs are not allowed")
+				}
+			}
+		}
 	}
 	if !allowNonTLSRelay && parsedRelayURL.Scheme != "wss" {
 		return fmt.Errorf("rejected Relay URL protocol: non-TLS not allowed")