From 5689a105a08ed3d556108c68f929d709bcb643c2 Mon Sep 17 00:00:00 2001
From: Jan Sandbrink <j.sandbrink@openproject.com>
Date: Fri, 5 Jun 2026 09:45:04 +0200
Subject: [PATCH] Work around SSRF issue

Ingredients needed for the issue to occur are:

* an allowed IPv4 range
* a checked IPv6 address
* the checked address must be wrapped in HTTPX::Resolver::Entry

This leads to a failure in checking address inclusion by IPAddr.
---
 lib/open_project/httpx_ssrf_filter.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/open_project/httpx_ssrf_filter.rb b/lib/open_project/httpx_ssrf_filter.rb
index be7545c6429..86372c98d6f 100644
--- a/lib/open_project/httpx_ssrf_filter.rb
+++ b/lib/open_project/httpx_ssrf_filter.rb
@@ -46,7 +46,13 @@ module OpenProject
       end
 
       def addresses=(addrs)
-        addrs.reject!(&SsrfProtection.method(:unsafe_ip_address?)) # rubocop:disable Performance/MethodObjectAsBlock
+        addrs.reject! do |addr|
+          # working around an error in IPAddr that fails to check address inclusion if the passed address is not an
+          # IPAddr, but a SimpleDelegator to an IPAddr (like HTTPX::Resolver::Entry).
+          addr = addr.address if addr.respond_to?(:address)
+
+          SsrfProtection.send(:unsafe_ip_address?, addr)
+        end
 
         raise ServerSideRequestForgeryError, "#{@origin.host} has no public IP addresses" if addrs.empty?