Security Fix for Bypass private-ip filter which can lead to SSRF - huntr.dev

[huntr-helper]

@Aravindha1234u (https://huntr.dev/users/Aravindha1234u) has fixed a potential Bypass private-ip filter which can lead to SSRF vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A Version Affected | <=2.1.1 Bug Fix | YES Original Pull Request | https://github.com/418sec/private-ip/pull/1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @Aravindha1234u, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

📊 Metadata *

Bounty URL: https://huntr.dev/bounties/1-npm-private-ip

⚙️ Description *

1. The is-ip NPM module was not functioning properly to validate the IP address. So replaced that module with ip-regex module.
2. Since the netmask was not properly validating the subnet properly I made a custom regex to check if the IP is private or not.

💻 Technical Description *

Just fixed the subnet mask check and add one more step validation if its false.

🐛 Proof of Concept (PoC) *

var privateIp = require("private-ip")
console.log(privateIp('127.0.0.01')); // returns false

🔥 Proof of Fix (PoF) *

import isPrivate from './'
console.log(`Is Private 127.0.0.01 : ${isPrivate('127.0.0.1')}`);

👍 User Acceptance Testing (UAT)

[frenchbread]

Hey, @vasco-santos, would you mind looking at this one? Any thoughts?

[frenchbread]

After a little investigation, I found out that additional regex for ipv4 you've added is not actually needed: firstly it's at some point "code duplication" since Netmask already does these checks, secondly it's unreachable. The issue itself has been solved by replacing is-ip module with ip-regex.

I'll update this PR & merge.