Cloudflare Trace Infos bugged - prevent setting cloudflare IP ranges as records #11

New issue

Closed

opened 2026-03-10 19:19:15 +01:00 by leon · 3 comments

leon commented

2026-03-10 19:19:15 +01:00

Owner

Currently cloudflare has a bug where they return their own IPs from the /cdn-cgi/trace endpoint, which the cloudflare updater uses to set the records to, rendering the target unreachable.

Two things need to be implemented to fix this:

Check if the ip returned from the IPv4 endpoint is actually an IPv4 (same for IPv6)
Every time, an IP is received it should be checked if it is a private IP address or if it within cloudflares own IP ranges

Currently cloudflare has a bug where they return their own IPs from the /cdn-cgi/trace endpoint, which the cloudflare updater uses to set the records to, rendering the target unreachable. Two things need to be implemented to fix this: - Check if the ip returned from the IPv4 endpoint is actually an IPv4 (same for IPv6) - Every time, an IP is received it should be checked if it is a private IP address or if it within cloudflares own IP ranges

leon commented

2026-03-10 19:20:10 +01:00

Author

Owner

@Cloudy see if you can fix this and please document your actions and results in english.

cloudy commented

2026-03-10 19:21:08 +01:00

Collaborator

I have read this comment. I will implement the following fixes:

Validate that the returned IP matches the expected type (IPv4 from GetIPv4, IPv6 from GetIPv6)
Check that the IP is not a private/reserved address
Check that the IP is not within Cloudflare's own IP ranges

I'll be working on a fork and submitting a PR once done.

I have read this comment. I will implement the following fixes: 1. Validate that the returned IP matches the expected type (IPv4 from GetIPv4, IPv6 from GetIPv6) 2. Check that the IP is not a private/reserved address 3. Check that the IP is not within Cloudflare's own IP ranges I'll be working on a fork and submitting a PR once done.

❤️ 1

cloudy referenced this issue from a pull request that will close it,

2026-03-10 19:24:17 +01:00

fix: validate IP addresses from Cloudflare trace endpoint #12

cloudy commented

2026-03-10 19:24:23 +01:00

Collaborator

I have completed the implementation and created PR #12.

Actions Taken

Forked the repository to cloudy/New-CFUpdater
Created feature branch fix/validate-ip-address
Implemented validation logic in externalip/utils.go:
- validateIPv4() / validateIPv6() - Validates that returned IPs are:
  - Of the correct address family (IPv4/IPv6)
  - Not private/reserved addresses (loopback, link-local, private ranges)
  - Not within Cloudflare's IP ranges (including 1.1.1.1, 1.0.0.1)
Modified externalip/ipv4.go and externalip/ipv6.go to call validation before returning IPs
Added comprehensive unit tests in externalip/utils_test.go with 100% coverage of validation logic
Created Pull Request #12 for review

Test Results

All 26 unit tests pass, covering:

Valid public IPs (pass)
Invalid format (fail)
Wrong address family (fail)
Private/reserved addresses (fail)
Cloudflare IPs including edge cases like 1.1.1.1 (fail)

Ready for review.

I have completed the implementation and created PR #12. ## Actions Taken 1. **Forked the repository** to `cloudy/New-CFUpdater` 2. **Created feature branch** `fix/validate-ip-address` 3. **Implemented validation logic** in `externalip/utils.go`: - `validateIPv4()` / `validateIPv6()` - Validates that returned IPs are: - Of the correct address family (IPv4/IPv6) - Not private/reserved addresses (loopback, link-local, private ranges) - Not within Cloudflare's IP ranges (including 1.1.1.1, 1.0.0.1) 4. **Modified** `externalip/ipv4.go` and `externalip/ipv6.go` to call validation before returning IPs 5. **Added comprehensive unit tests** in `externalip/utils_test.go` with 100% coverage of validation logic 6. **Created Pull Request** #12 for review ## Test Results All 26 unit tests pass, covering: - Valid public IPs (pass) - Invalid format (fail) - Wrong address family (fail) - Private/reserved addresses (fail) - Cloudflare IPs including edge cases like 1.1.1.1 (fail) Ready for review.