The patch forCVE-2024-50342 isn't enough.

As reported by@cs278:

A DNS name which presents multiple A records can be used to bypass the new fix due to a TOCTOU
condition where the decorator is performing the DNS lookup but curl is then performing its own
DNS query and getting a private IP address.

In addition:

A DNS record which presents a public A record and a private AAAA record can be used to workaround
the protection measures if certain conditions are present

As a first reminder, NoPrivateNetworkHttpClient DOES prevent requests to unwanted servers, but it doesn't prevent connecting to them, allowing to use timings to scan private network topologies.

As a second reminder,according to our security policy, we shouldn't have considered this as a security issue in the first place, but as a security hardening that could be handled without a CVE. Yet we did so we're going to update the already published CVE/advisory/blog post after this PR.

This patch rewritesNoPrivateNetworkHttpClient to make it responsible for resolving DNS and following redirections. I tried usingCURLOPT_RESOLVE instead, but this setting is ignored during a curl transaction apparently so we have no other choices.

In addition, the decorator will refuse to connect to IPv6/IPv4 hosts if the configured$subnets doesn't block any IPs for the corresponding version of the protocol.

Because the DNS check is made earlier, the decorator now also rejects relative URLs when the base URI is unknown to it.