From fb57b990c2bf049122215d3a6ded14aaa942fbc7 Mon Sep 17 00:00:00 2001
From: Tom Fenech <tomjwfenech@gmail.com>
Date: Sun, 30 Nov 2025 15:13:01 +0100
Subject: [PATCH 1/2] allow additional ranges of ips

---
 oryx/httpx/ssrf.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/oryx/httpx/ssrf.go b/oryx/httpx/ssrf.go
index a217c7dd3c..aab6768131 100644
--- a/oryx/httpx/ssrf.go
+++ b/oryx/httpx/ssrf.go
@@ -86,10 +86,12 @@ func init() {
 		ssrf.WithNetworks("tcp4", "tcp6"),
 		ssrf.WithAllowedV4Prefixes(
 			netip.MustParsePrefix("10.0.0.0/8"),     // Private-Use (RFC 1918)
+			netip.MustParsePrefix("100.64.0.0/10"),  // Shared Address Space (RFC 6598)
 			netip.MustParsePrefix("127.0.0.0/8"),    // Loopback (RFC 1122, Section 3.2.1.3))
 			netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
 			netip.MustParsePrefix("172.16.0.0/12"),  // Private-Use (RFC 1918)
 			netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
+			netip.MustParsePrefix("198.18.0.0/15"),  // Benchmarking (RFC 2544)
 		),
 		ssrf.WithAllowedV6Prefixes(
 			netip.MustParsePrefix("::1/128"),  // Loopback (RFC 4193)
@@ -106,10 +108,12 @@ func init() {
 		ssrf.WithNetworks("tcp4"),
 		ssrf.WithAllowedV4Prefixes(
 			netip.MustParsePrefix("10.0.0.0/8"),     // Private-Use (RFC 1918)
+			netip.MustParsePrefix("100.64.0.0/10"),  // Shared Address Space (RFC 6598)
 			netip.MustParsePrefix("127.0.0.0/8"),    // Loopback (RFC 1122, Section 3.2.1.3))
 			netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
 			netip.MustParsePrefix("172.16.0.0/12"),  // Private-Use (RFC 1918)
 			netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
+			netip.MustParsePrefix("198.18.0.0/15"),  // Benchmarking (RFC 2544)
 		),
 		ssrf.WithAllowedV6Prefixes(
 			netip.MustParsePrefix("::1/128"),  // Loopback (RFC 4193)

From bf56acff6b2ac75ad200b906a7040cd3295f3bc7 Mon Sep 17 00:00:00 2001
From: Tom Fenech <tomjwfenech@gmail.com>
Date: Sun, 30 Nov 2025 15:18:06 +0100
Subject: [PATCH 2/2] fix formatting error

---
 oryx/dbal/testhelpers.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oryx/dbal/testhelpers.go b/oryx/dbal/testhelpers.go
index b13d010961..9cbd8c6a48 100644
--- a/oryx/dbal/testhelpers.go
+++ b/oryx/dbal/testhelpers.go
@@ -10,12 +10,12 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/ory/x/sqlcon/dockertest"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 
 	"github.com/ory/pop/v6"
 	"github.com/ory/x/fsx"
+	"github.com/ory/x/sqlcon/dockertest"
 )
 
 var hashDumpRegex = regexp.MustCompile(`-- migrations hash: ([^\n]+)\n`)