Navy.gif/owncast
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Block Private URLs at serverurl API endpoint (#3295)

Browse Source 
* Block Private URLs at `serverurl` API endpoint

* Block Private URLs at `serverurl` with `net/netip`
This commit is contained in:
Shreyas 2023-09-07 08:58:15 +05:30 committed by GitHub
parent 50c4c1a5c7
commit 062de79920
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
controllers/admin/config.go
View File

@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"net/netip"
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
return return
} }
// Block Private IP URLs
ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
if ipErr == nil && ipAddr.IsPrivate() {
controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
return
}
// Trim any trailing slash // Trim any trailing slash
serverURL := strings.TrimRight(rawValue, "/") serverURL := strings.TrimRight(rawValue, "/")

10
utils/utils.go
View File

@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
return u.Host return u.Host
} }
// GetHostnameWithoutPortFromURLString will return the hostname component without the port from a URL object.
func GetHostnameWithoutPortFromURLString(s string) string {
u, err := url.Parse(s)
if err != nil {
return ""
}
return u.Hostname()
}
// GetHashtagsFromText returns all the #Hashtags from a string. // GetHashtagsFromText returns all the #Hashtags from a string.
func GetHashtagsFromText(text string) []string { func GetHashtagsFromText(text string) []string {
re := regexp.MustCompile(`#[a-zA-Z0-9_]+`) re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)