Update request-filtering-agent to v3.2.0 for CIDR range support (#10923)

* Initial plan

* Update request-filtering-agent to v3.2.0 with CIDR support

Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>

* Remove unnecessary mock and use transformIgnorePatterns for request-filtering-agent

Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>

* Mock

* Revert unused change

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tommoor <380914+tommoor@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>

package.json

@@ -234,7 +234,7 @@
     "redlock": "^5.0.0-beta.2",
     "reflect-metadata": "^0.2.2",
     "refractor": "^3.6.0",
-    "request-filtering-agent": "^2.0.1",
+    "request-filtering-agent": "^3.2.0",
     "resolve-path": "^1.4.0",
     "rfc6902": "^5.1.2",
     "sanitize-filename": "^1.6.3",

server/__mocks__/request-filtering-agent.js

@@ -0,0 +1,28 @@
+const http = require("http");
+const https = require("https");
+
+/**
+ * Mock implementation of request-filtering-agent for Jest testing
+ * This avoids ESM module issues in the test environment
+ */
+function useAgent(url, options = {}) {
+  const parsedUrl = new URL(url);
+  const isHttps = parsedUrl.protocol === "https:";
+
+  // Create a basic agent based on the protocol
+  const Agent = isHttps ? https.Agent : http.Agent;
+
+  // Return a new agent with the provided options
+  return new Agent({
+    keepAlive: options.keepAlive,
+    timeout: options.timeout,
+    keepAliveMsecs: options.keepAliveMsecs,
+    maxSockets: options.maxSockets,
+    maxFreeSockets: options.maxFreeSockets,
+    maxCachedSessions: options.maxCachedSessions,
+  });
+}
+
+module.exports = {
+  useAgent,
+};

server/env.ts

@@ -743,10 +743,11 @@ export class Environment {
     this.toOptionalNumber(environment.WEBHOOK_FAILURE_RATE_THRESHOLD) ?? 80;
 
   /**
-   * Comma-separated list of IP addresses that are allowed to be accessed
+   * Comma-separated list of IP addresses or CIDR ranges that are allowed to be accessed
    * even if they are private IP addresses. This is useful for allowing
    * connections to OIDC providers or webhooks on private networks.
-   * Example: "10.0.0.1,192.168.1.100"
+   * Supports both individual IP addresses and CIDR notation.
+   * Example: "10.0.0.1,192.168.1.0/24,172.16.0.1"
    */
   @IsOptional()
   public ALLOWED_PRIVATE_IP_ADDRESSES = this.toOptionalCommaList(

server/utils/fetch.ts

@@ -81,7 +81,7 @@ export default async function fetch(
   } catch (err) {
     if (!env.isCloudHosted && err.message?.startsWith("DNS lookup")) {
       throw InternalError(
-        `${err.message}\n\nTo allow this request, add the IP address to the ALLOWED_PRIVATE_IP_ADDRESSES environment variable.`
+        `${err.message}\n\nTo allow this request, add the IP address or CIDR range to the ALLOWED_PRIVATE_IP_ADDRESSES environment variable.`
       );
     }
     throw err;

yarn.lock

@@ -13437,10 +13437,10 @@ replace-ext@^2.0.0:
   resolved "https://registry.yarnpkg.com/replace-ext/-/replace-ext-2.0.0.tgz#9471c213d22e1bcc26717cd6e50881d88f812b06"
   integrity "sha1-lHHCE9IuG8wmcXzW5QiB2I+BKwY= sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug=="
 
-request-filtering-agent@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/request-filtering-agent/-/request-filtering-agent-2.0.1.tgz#aa65ba7077d4519426ee25aaa74bcd6f3809c072"
-  integrity sha512-QvD3qwthEt9J+2hCdQ3wTn3Z/ZsgyiMECjY9yVJ0F8FtnGfNQG+dRz65eKayYRHIRQ6OGjH8Zuqr1lw7G6pz1Q==
+request-filtering-agent@^3.2.0:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/request-filtering-agent/-/request-filtering-agent-3.2.0.tgz#4b42c95624a88080454282e6df0cb8e41a2ae365"
+  integrity sha512-tKPrKdsmTFuGG1/pBEpzTB66mDZ2lZLW8kjW4N6jj4QjnxUTKrIfv5p2zuJRfztOos86jRPD41lRaGjh+1QqDw==
   dependencies:
     ipaddr.js "^2.1.0"