Can anyone explain a scenario where this is exploitable? I don't understand how this is likely to result in SSRF, file inclusion, etc. What applications are taking user supplied IP addresses?
So one example would be. Say you have a web application which makes HTTP requests on your customer's behalf (something like a website availability checker)
You want customers to be able to enter host IPs that they control and your site will retrieve the URL on that site that they specify to confirm it's available.
You don't want customers to be able to request things like http://127.0.0.1:8080 or http://192.168.1.1:6443 as you've got internal systems running there that are not for external use.
So in your code you set the internal only ranges to be blocked.
If you used this library to do that, it would be possible to bypass the restriction and request internal IPs by using octal encoding, as the customer could enter an octal IP and then the conversion would allow for ranges that should be blocked, to be requested.
Thanks, that makes sense. I was thinking along the lines of applications interpreting HTTP headers like X-Forwarded-For, but trusting the client (instead of re-writing).
You want customers to be able to enter host IPs that they control and your site will retrieve the URL on that site that they specify to confirm it's available.
You don't want customers to be able to request things like http://127.0.0.1:8080 or http://192.168.1.1:6443 as you've got internal systems running there that are not for external use.
So in your code you set the internal only ranges to be blocked.
If you used this library to do that, it would be possible to bypass the restriction and request internal IPs by using octal encoding, as the customer could enter an octal IP and then the conversion would allow for ranges that should be blocked, to be requested.