Allow allowing/blocking hosts by IP range

README.md

@@ -208,9 +208,11 @@ Alternately, try running:
 Reloading the [codercat URL][] will still return an error message.
 
 You can specify multiple hosts as a comma separated list to either flag, or
-prefix a host value with `*.` to allow or deny all sub-domains as well.
+prefix a host value with `*.` to allow or deny all sub-domains. You can
+also specify a netblock in CIDR notation (`127.0.0.0/8`) -- this is useful for
+blocking reserved ranges like `127.0.0.0/8`, `192.168.0.0/16`, etc.
 
-If a host matches both an allowed an a denied host, the request will be denied.
+If a host matches both an allowed and denied host, the request will be denied.
 
 ### Allowed Content-Type List ###
 

imageproxy.go

@@ -28,6 +28,7 @@ import (
 	"io/ioutil"
 	"log"
 	"mime"
+	"net"
 	"net/http"
 	"net/url"
 	"path"
@@ -324,6 +325,16 @@ func hostMatches(hosts []string, u *url.URL) bool {
 		if strings.HasPrefix(host, "*.") && strings.HasSuffix(u.Host, host[2:]) {
 			return true
 		}
+		// Checks whether the host in u is an IP
+		if ip := net.ParseIP(u.Host); ip != nil {
+			// Checks whether our current host is a CIDR
+			if _, ipnet, err := net.ParseCIDR(host); err == nil {
+				// Checks if our host contains the IP in u
+				if ipnet.Contains(ip) {
+					return true
+				}
+			}
+		}
 	}
 
 	return false

imageproxy_test.go

@@ -172,6 +172,7 @@ func TestAllowed(t *testing.T) {
 		{"http://test/image", emptyOptions, nil, []string{"test"}, nil, nil, nil, false},
 		{"http://test/image", emptyOptions, []string{"test"}, []string{"test"}, nil, nil, nil, false},
 		{"http://test/image", Options{Signature: "NDx5zZHx7QfE8E-ijowRreq6CJJBZjwiRfOVk_mkfQQ="}, nil, []string{"test"}, nil, key, nil, false},
+		{"http://127.0.0.1/image", emptyOptions, nil, []string{"127.0.0.0/8"}, nil, nil, nil, false},
 	}
 
 	for _, tt := range tests {