ssrf_filter plugin: clarify error for hosts resolving only to private IPs

Hey 👋

We (OpenProject) recently shipped SSRF protection for our outbound integrations using an adaptation of this plugin, which reused its error message verbatim. Since then, multiple administrators who run their services on a private network have filed bug reports - all of them read "has no public IP addresses" as a DNS or connectivity failure. None realised the request was intentionally blocked, or that there is a way to allow the host.

We're now switching to the plugin itself (the new :safe_private_ranges option in 1.8.0 lets us drop our adaptation - thanks for that), so the same confusion would apply, and I'd like to propose a clearer version of the error:

#{@origin.host} resolves only to private or reserved IP addresses, which the ssrf_filter plugin blocks by default (use the :safe_private_ranges option to allow specific ranges)

which tells them what happened and how to approach the matter.

Happy to adjust the wording.

Merge request reports

Loading