Prevent smokescreen upstream connections to its local IPs

[rishikej-stripe]

Summary

This PR adds an additional check for the target IP to ensure the smokescreen proxy does not connect to itself if a client passes smokescreen's IP/localhost as the target address.

Motivation

Smokescreen does not prevent clients from issuing CONNECT requests that target Smokescreen's own listening address. If the ACL configuration permits connections to the proxy's IP (e.g., 127.0.0.1, localhost, its internal IP range or its external IP), a malicious client can establish a recursive connection loop. Each iteration of the loop creates a new nested tunnel, consuming file descriptors, memory, and goroutines, rapidly leading to resource exhaustion and Denial of Service (DoS).

Test plan

Tested locally. The PoC passes a burst of 10000 requests through 1000 concurrent workers to the smokescreen proxy.

Before

Client makes continuous recursive connections by keeping localhost as the target.

After
Smokescreen denies the request to any of its local IPs.

[coveralls]

Pull Request Test Coverage Report for Build 20851618744

Details

• 52 of 66 (78.79%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.5%) to 55.992%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/smokescreen/smokescreen.go	13	19	68.42%
pkg/smokescreen/config.go	39	47	82.98%

Totals
Change from base Build 20331928078:	0.5%
Covered Lines:	1752
Relevant Lines:	3129

---

💛 - Coveralls

[saurabhbhatia-stripe]

Overall LGTM, can we add some unit tests for the new lines added.