forked from molecule-ai/molecule-core
4ff45f8955
The validateAgentURL function was missing several ranges from the always- blocked list. In SaaS mode only link-local, loopback, and IPv6 metadata were blocked — TEST-NET (192.0.2/24, 198.51.100/24, 203.0.113/24), CGNAT (100.64.0.0/10), IPv4 multicast (224.0.0.0/4), and fc00::/8 (IPv6 ULA non-routable prefix) were allowed through. These ranges are never valid agent URLs in any deployment: - TEST-NET (RFC-5737): documentation-only, no real hosts - CGNAT (RFC-6598): never used as VPC subnets on AWS/GCP/Azure - IPv4 multicast: never a unicast agent endpoint - fc00::/8: non-routable prefix (fd00::/8 stays allowed in SaaS mode) Also tighten the non-SaaS ULA block: instead of blocking fc00::/7 (the supernet covering both fc00 and fd00), split it into always-blocked fc00::/8 (above) + non-SaaS-only fd00::/8. This makes the SaaS relaxation explicit and auditable. Fixes TestValidateAgentURL_SaaSMode_StillBlocksMetadataEtAl failure. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd/server | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| .ci-force | ||
| .gitignore | ||
| .golangci.yaml | ||
| Dockerfile | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||