fix: 🔒 prevent potential SSRF through media proxy

This commit is contained in:
ThatOneCalculator 2023-07-15 14:13:21 -07:00
parent 9c2264fb8e
commit d64389543c
No known key found for this signature in database
GPG key ID: 8703CACD01000000
2 changed files with 38 additions and 1 deletions

View file

@ -21,9 +21,10 @@ export async function downloadUrl(url: string, path: string): Promise<void> {
const maxSize = config.maxFileSize || 262144000;
const req = got
.stream(url, {
.stream(url, {
headers: {
"User-Agent": config.userAgent,
"Host": new URL(url).hostname,
},
timeout: {
lookup: timeout,

View file

@ -1,4 +1,6 @@
import * as fs from "node:fs";
import net from "node:net";
import { promises } from "node:dns";
import type Koa from "koa";
import sharp from "sharp";
import type { IImage } from "@/services/drive/image-processor.js";
@ -19,6 +21,40 @@ export async function proxyMedia(ctx: Koa.Context) {
return;
}
const { hostname } = new URL(url);
let resolvedIps;
try {
resolvedIps = await promises.resolve(hostname);
} catch (error) {
ctx.status = 400;
ctx.body = { message: "Invalid URL" };
return;
}
const isSSRF = resolvedIps.some((ip) => {
if (net.isIPv4(ip)) {
const parts = ip.split(".").map(Number);
return (
parts[0] === 10 ||
(parts[0] === 172 && parts[1] >= 16 && parts[1] < 32) ||
(parts[0] === 192 && parts[1] === 168) ||
parts[0] === 127 ||
parts[0] === 0
);
} else if (net.isIPv6(ip)) {
return (
ip.startsWith("::") || ip.startsWith("fc00:") || ip.startsWith("fe80:")
);
}
return false;
});
if (isSSRF) {
ctx.status = 400;
ctx.body = { message: "Access to this URL is not allowed" };
return;
}
// Create temp file
const [path, cleanup] = await createTemp();