From 062de79920e3cce2f993975b5e23ba3d3639e04e Mon Sep 17 00:00:00 2001
From: Shreyas <shreyass.ranganatha@gmail.com>
Date: Thu, 7 Sep 2023 08:58:15 +0530
Subject: [PATCH] Block Private URLs at `serverurl` API endpoint (#3295)

* Block Private URLs at `serverurl` API endpoint

* Block Private URLs at `serverurl` with `net/netip`
---
 controllers/admin/config.go |  9 +++++++++
 utils/utils.go              | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/controllers/admin/config.go b/controllers/admin/config.go
index feebd6d2c..5fd78e7df 100644
--- a/controllers/admin/config.go
+++ b/controllers/admin/config.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Block Private IP URLs
+	ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
+
+	if ipErr == nil && ipAddr.IsPrivate() {
+		controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
+		return
+	}
+
 	// Trim any trailing slash
 	serverURL := strings.TrimRight(rawValue, "/")
 
diff --git a/utils/utils.go b/utils/utils.go
index b6f1b79ac..2a51c367a 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
 	return u.Host
 }
 
+// GetHostnameWithoutPortFromURLString will return the hostname component without the port from a URL object.
+func GetHostnameWithoutPortFromURLString(s string) string {
+	u, err := url.Parse(s)
+	if err != nil {
+		return ""
+	}
+
+	return u.Hostname()
+}
+
 // GetHashtagsFromText returns all the #Hashtags from a string.
 func GetHashtagsFromText(text string) []string {
 	re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)