Block Private URLs at serverurl API endpoint (#3295)

* Block Private URLs at `serverurl` API endpoint

* Block Private URLs at `serverurl` with `net/netip`
This commit is contained in:
Shreyas 2023-09-07 08:58:15 +05:30 committed by GitHub
parent 50c4c1a5c7
commit 062de79920
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 0 deletions

View File

@ -5,6 +5,7 @@ import (
"fmt"
"net"
"net/http"
"net/netip"
"os"
"path/filepath"
"reflect"
@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
return
}
// Block Private IP URLs
ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
if ipErr == nil && ipAddr.IsPrivate() {
controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
return
}
// Trim any trailing slash
serverURL := strings.TrimRight(rawValue, "/")

View File

@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
return u.Host
}
// GetHostnameWithoutPortFromURLString will return the hostname component without the port from a URL object.
func GetHostnameWithoutPortFromURLString(s string) string {
u, err := url.Parse(s)
if err != nil {
return ""
}
return u.Hostname()
}
// GetHashtagsFromText returns all the #Hashtags from a string.
func GetHashtagsFromText(text string) []string {
re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)