add additional allowed hosts

server/routes.go

@@ -915,9 +915,9 @@ func allowedHost(host string) bool {
 	}
 
 	var tlds = []string{
-		".localhost",
-		".local",
-		".internal",
+		"localhost",
+		"local",
+		"internal",
 	}
 
 	for _, tld := range tlds {
@@ -929,24 +929,36 @@ func allowedHost(host string) bool {
 	return false
 }
 
-func allowedHostsMiddleware(addr net.Addr) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		if addr == nil {
-			c.Next()
-			return
-		}
+func ips() []string {
+	var ips []string
 
-		if !netip.MustParseAddrPort(addr.String()).Addr().IsLoopback() {
-			c.Next()
-			return
+	if interfaces, err := net.Interfaces(); err == nil {
+		for _, iface := range interfaces {
+			addrs, err := iface.Addrs()
+			if err != nil {
+				continue
+			}
+
+			for _, a := range addrs {
+				if ip, _, err := net.ParseCIDR(a.String()); err == nil {
+					ips = append(ips, ip.String())
+				}
+			}
 		}
+	}
+
+	return ips
+}
 
-		if addrPort, _ := netip.ParseAddrPort(c.Request.Host); addrPort.Addr().IsLoopback() {
+func allowedHostsMiddleware(addr net.Addr) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if addr == nil {
 			c.Next()
 			return
 		}
 
-		if addr, _ := netip.ParseAddr(c.Request.Host); addr.IsLoopback() {
+		addr, err := netip.ParseAddrPort(addr.String())
+		if err == nil && !addr.Addr().IsLoopback() {
 			c.Next()
 			return
 		}
@@ -956,6 +968,13 @@ func allowedHostsMiddleware(addr net.Addr) gin.HandlerFunc {
 			host = c.Request.Host
 		}
 
+		if addr, err := netip.ParseAddr(host); err == nil {
+			if addr.IsLoopback() || addr.IsPrivate() || slices.Contains(ips(), host) || addr.String() == "0.0.0.0" {
+				c.Next()
+				return
+			}
+		}
+
 		if allowedHost(host) {
 			c.Next()
 			return