s360 issue fix

cns/restserver/util.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"strconv"
 	"strings"
@@ -788,6 +789,38 @@ func (service *HTTPRestService) validateDefaultIPConfigsRequest(_ context.Contex
 	return types.Success, ""
 }
 
+func isPrivateIP(ip net.IP) bool {
+	var privateIPBlocks []*net.IPNet
+
+	for _, cidr := range []string{
+		"127.0.0.0/8",    // IPv4 loopback
+		"10.0.0.0/8",     // RFC1918
+		"172.16.0.0/12",  // RFC1918
+		"192.168.0.0/16", // RFC1918
+		"169.254.0.0/16", // RFC3927 link-local
+		"::1/128",        // IPv6 loopback
+		"fe80::/10",      // IPv6 link-local
+		"fc00::/7",       // IPv6 unique local addr
+	} {
+		_, block, err := net.ParseCIDR(cidr)
+		if err != nil {
+			panic(fmt.Errorf("parse error on %q: %v", cidr, err))
+		}
+		privateIPBlocks = append(privateIPBlocks, block)
+	}
+
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return true
+	}
+
+	for _, block := range privateIPBlocks {
+		if block.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
 // getPrimaryHostInterface returns the cached InterfaceInfo, if available, otherwise
 // queries the IMDS to get the primary interface info and caches it in the server state
 // before returning the result.
@@ -797,10 +830,16 @@ func (service *HTTPRestService) getPrimaryHostInterface(ctx context.Context) (*w
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to get interfaces from IMDS")
 		}
+
 		primary, err := wireserver.GetPrimaryInterfaceFromResult(res)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to get primary interface from IMDS response")
 		}
+
+		if !isPrivateIP(net.ParseIP(primary.PrimaryIP)) {
+			return nil, errors.Wrap(err, "only private IPv4 or IPv6 address can be used")
+		}
+
 		service.state.primaryInterface = primary
 	}
 	return service.state.primaryInterface, nil