check URL preview requests against ip_range_denylist
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry
June
parent
bef0459fb8
commit
3f9825788e
1 changed files with 74 additions and 34 deletions
|
|
@ -1,6 +1,7 @@
|
||||||
use std::{io::Cursor, net::IpAddr, sync::Arc, time::Duration};
|
use std::{io::Cursor, net::IpAddr, sync::Arc, time::Duration};
|
||||||
|
|
||||||
use image::io::Reader as ImgReader;
|
use image::io::Reader as ImgReader;
|
||||||
|
use ipaddress::IPAddress;
|
||||||
use reqwest::Url;
|
use reqwest::Url;
|
||||||
use ruma::api::client::{
|
use ruma::api::client::{
|
||||||
error::ErrorKind,
|
error::ErrorKind,
|
||||||
|
|
@ -652,6 +653,7 @@ async fn download_html(client: &reqwest::Client, url: &str) -> Result<UrlPreview
|
||||||
Ok(data)
|
Ok(data)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TOOD: re-evaluate if this is needed, because it doesn't seem to work
|
||||||
pub(crate) fn url_request_allowed(addr: &IpAddr) -> bool {
|
pub(crate) fn url_request_allowed(addr: &IpAddr) -> bool {
|
||||||
// TODO: make this check ip_range_denylist
|
// TODO: make this check ip_range_denylist
|
||||||
|
|
||||||
|
|
@ -706,9 +708,47 @@ pub(crate) fn url_request_allowed(addr: &IpAddr) -> bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn request_url_preview(url: &str) -> Result<UrlPreviewData> {
|
async fn request_url_preview(url: &str) -> Result<UrlPreviewData> {
|
||||||
|
if let Ok(ip) = IPAddress::parse(url) {
|
||||||
|
let cidr_ranges_s = services().globals.ip_range_denylist().to_vec();
|
||||||
|
let mut cidr_ranges: Vec<IPAddress> = Vec::new();
|
||||||
|
|
||||||
|
for cidr in cidr_ranges_s {
|
||||||
|
cidr_ranges.push(IPAddress::parse(cidr).expect("we checked this at startup"));
|
||||||
|
}
|
||||||
|
|
||||||
|
for cidr in cidr_ranges {
|
||||||
|
if cidr.includes(&ip) {
|
||||||
|
return Err(Error::BadRequest(
|
||||||
|
ErrorKind::Forbidden,
|
||||||
|
"Requesting from this address is forbidden",
|
||||||
|
));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let client = &services().globals.client.url_preview;
|
let client = &services().globals.client.url_preview;
|
||||||
let response = client.head(url).send().await?;
|
let response = client.head(url).send().await?;
|
||||||
|
|
||||||
|
if let Some(remote_addr) = response.remote_addr() {
|
||||||
|
if let Ok(ip) = IPAddress::parse(remote_addr.ip().to_string()) {
|
||||||
|
let cidr_ranges_s = services().globals.ip_range_denylist().to_vec();
|
||||||
|
let mut cidr_ranges: Vec<IPAddress> = Vec::new();
|
||||||
|
|
||||||
|
for cidr in cidr_ranges_s {
|
||||||
|
cidr_ranges.push(IPAddress::parse(cidr).expect("we checked this at startup"));
|
||||||
|
}
|
||||||
|
|
||||||
|
for cidr in cidr_ranges {
|
||||||
|
if cidr.includes(&ip) {
|
||||||
|
return Err(Error::BadRequest(
|
||||||
|
ErrorKind::Forbidden,
|
||||||
|
"Requesting from this address is forbidden",
|
||||||
|
));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !response.remote_addr().map_or(false, |a| url_request_allowed(&a.ip())) {
|
if !response.remote_addr().map_or(false, |a| url_request_allowed(&a.ip())) {
|
||||||
return Err(Error::BadRequest(
|
return Err(Error::BadRequest(
|
||||||
ErrorKind::Forbidden,
|
ErrorKind::Forbidden,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue