feat: match exception URLs via globbing (#717)

go.mod

@@ -95,6 +95,8 @@ require (
 	google.golang.org/protobuf v1.30.0
 )
 
+require github.com/gobwas/glob v0.2.3 // indirect
+
 require (
 	git.sr.ht/~sbinet/gg v0.3.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect

go.sum

@@ -321,6 +321,8 @@ github.com/gobuffalo/tags/v3 v3.1.4 h1:X/ydLLPhgXV4h04Hp2xlbI2oc5MDaa7eub6zw8oHj
 github.com/gobuffalo/tags/v3 v3.1.4/go.mod h1:ArRNo3ErlHO8BtdA0REaZxijuWnWzF6PUXngmMXd2I0=
 github.com/gobuffalo/validate/v3 v3.3.3 h1:o7wkIGSvZBYBd6ChQoLxkz2y1pfmhbI4jNJYh6PuNJ4=
 github.com/gobuffalo/validate/v3 v3.3.3/go.mod h1:YC7FsbJ/9hW/VjQdmXPvFqvRis4vrRYFxr69WiNZw6g=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-yaml v1.9.6 h1:KhAu1zf9JXnm3vbG49aDE0E5uEBUsM4uwD31/58ZWyI=
 github.com/goccy/go-yaml v1.9.6/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=

httpx/private_ip_validator.go

@@ -11,6 +11,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/gobwas/glob"
 	"github.com/pkg/errors"
 )
 
@@ -94,7 +95,11 @@ func (n NoInternalIPRoundTripper) RoundTrip(request *http.Request) (*http.Respon
 	incoming.RawQuery = ""
 	incoming.RawFragment = ""
 	for _, exception := range n.internalIPExceptions {
-		if incoming.String() == exception {
+		compiled, err := glob.Compile(exception, '.', '/')
+		if err != nil {
+			return nil, err
+		}
+		if compiled.Match(incoming.String()) {
 			return rt.RoundTrip(request)
 		}
 	}

httpx/resilient_client.go

@@ -98,11 +98,11 @@ func ResilientClientDisallowInternalIPs() ResilientOptions {
 	}
 }
 
-// ResilientClientAllowInternalIPRequestsTo allows requests to the exact matching URLs even
+// ResilientClientAllowInternalIPRequestsTo allows requests to the glob-matching URLs even
 // if they are internal IPs.
-func ResilientClientAllowInternalIPRequestsTo(urls ...string) ResilientOptions {
+func ResilientClientAllowInternalIPRequestsTo(urlGlobs ...string) ResilientOptions {
 	return func(o *resilientOptions) {
-		o.internalIPExceptions = urls
+		o.internalIPExceptions = urlGlobs
 	}
 }
 

httpx/resilient_client_test.go

@@ -28,20 +28,23 @@ func TestNoPrivateIPs(t *testing.T) {
 	_, port, err := net.SplitHostPort(target.Host)
 	require.NoError(t, err)
 
-	allowed := "http://localhost:" + port + "/foobar"
+	allowedURL := "http://localhost:" + port + "/foobar"
+	allowedGlob := "http://localhost:" + port + "/glob/*"
 
 	c := NewResilientClient(
 		ResilientClientWithMaxRetry(1),
 		ResilientClientDisallowInternalIPs(),
-		ResilientClientAllowInternalIPRequestsTo(allowed),
+		ResilientClientAllowInternalIPRequestsTo(allowedURL, allowedGlob),
 	)
 
 	for destination, passes := range map[string]bool{
-		"http://127.0.0.1:" + port:             false,
-		"http://localhost:" + port:             false,
-		"http://192.168.178.5:" + port:         false,
-		allowed:                                true,
-		"http://localhost:" + port + "/FOOBAR": false,
+		"http://127.0.0.1:" + port:                   false,
+		"http://localhost:" + port:                   false,
+		"http://192.168.178.5:" + port:               false,
+		allowedURL:                                   true,
+		"http://localhost:" + port + "/glob/bar":     true,
+		"http://localhost:" + port + "/glob/bar/baz": false,
+		"http://localhost:" + port + "/FOOBAR":       false,
 	} {
 		_, err := c.Get(destination)
 		if !passes {