check the URL and response remote address for ip_range_denylist

the previous only checked the server_name

Signed-off-by: strawberry <strawberry@puppygock.gay>

src/api/server_server.rs

@@ -238,6 +238,24 @@ where
 
 	let url = reqwest_request.url().clone();
 
+	if let Some(url_host) = url.host_str() {
+		debug!("Checking request URL for IP");
+		if let Ok(ip) = IPAddress::parse(url_host) {
+			let cidr_ranges_s = services().globals.ip_range_denylist().to_vec();
+			let mut cidr_ranges: Vec<IPAddress> = Vec::new();
+
+			for cidr in cidr_ranges_s {
+				cidr_ranges.push(IPAddress::parse(cidr).expect("we checked this at startup"));
+			}
+
+			for cidr in cidr_ranges {
+				if cidr.includes(&ip) {
+					return Err(Error::BadServerResponse("Not allowed to send requests to this IP"));
+				}
+			}
+		}
+	}
+
 	debug!("Sending request to {destination} at {url}");
 	let response = services().globals.client.federation.execute(reqwest_request).await;
 	debug!("Received response from {destination} at {url}");
@@ -245,6 +263,25 @@ where
 	match response {
 		Ok(mut response) => {
 			// reqwest::Response -> http::Response conversion
+
+			debug!("Checking response destination's IP");
+			if let Some(remote_addr) = response.remote_addr() {
+				if let Ok(ip) = IPAddress::parse(remote_addr.ip().to_string()) {
+					let cidr_ranges_s = services().globals.ip_range_denylist().to_vec();
+					let mut cidr_ranges: Vec<IPAddress> = Vec::new();
+
+					for cidr in cidr_ranges_s {
+						cidr_ranges.push(IPAddress::parse(cidr).expect("we checked this at startup"));
+					}
+
+					for cidr in cidr_ranges {
+						if cidr.includes(&ip) {
+							return Err(Error::BadServerResponse("Not allowed to send requests to this IP"));
+						}
+					}
+				}
+			}
+
 			let status = response.status();
 			let mut http_response_builder = http::Response::builder().status(status).version(response.version());
 			mem::swap(