fix: 🔒 prevent potential SSRF through media proxy
This commit is contained in:
parent
9c2264fb8e
commit
d64389543c
|
@ -21,9 +21,10 @@ export async function downloadUrl(url: string, path: string): Promise<void> {
|
|||
const maxSize = config.maxFileSize || 262144000;
|
||||
|
||||
const req = got
|
||||
.stream(url, {
|
||||
.stream(url, {
|
||||
headers: {
|
||||
"User-Agent": config.userAgent,
|
||||
"Host": new URL(url).hostname,
|
||||
},
|
||||
timeout: {
|
||||
lookup: timeout,
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
import * as fs from "node:fs";
|
||||
import net from "node:net";
|
||||
import { promises } from "node:dns";
|
||||
import type Koa from "koa";
|
||||
import sharp from "sharp";
|
||||
import type { IImage } from "@/services/drive/image-processor.js";
|
||||
|
@ -19,6 +21,40 @@ export async function proxyMedia(ctx: Koa.Context) {
|
|||
return;
|
||||
}
|
||||
|
||||
const { hostname } = new URL(url);
|
||||
let resolvedIps;
|
||||
try {
|
||||
resolvedIps = await promises.resolve(hostname);
|
||||
} catch (error) {
|
||||
ctx.status = 400;
|
||||
ctx.body = { message: "Invalid URL" };
|
||||
return;
|
||||
}
|
||||
|
||||
const isSSRF = resolvedIps.some((ip) => {
|
||||
if (net.isIPv4(ip)) {
|
||||
const parts = ip.split(".").map(Number);
|
||||
return (
|
||||
parts[0] === 10 ||
|
||||
(parts[0] === 172 && parts[1] >= 16 && parts[1] < 32) ||
|
||||
(parts[0] === 192 && parts[1] === 168) ||
|
||||
parts[0] === 127 ||
|
||||
parts[0] === 0
|
||||
);
|
||||
} else if (net.isIPv6(ip)) {
|
||||
return (
|
||||
ip.startsWith("::") || ip.startsWith("fc00:") || ip.startsWith("fe80:")
|
||||
);
|
||||
}
|
||||
return false;
|
||||
});
|
||||
|
||||
if (isSSRF) {
|
||||
ctx.status = 400;
|
||||
ctx.body = { message: "Access to this URL is not allowed" };
|
||||
return;
|
||||
}
|
||||
|
||||
// Create temp file
|
||||
const [path, cleanup] = await createTemp();
|
||||
|
||||
|
|
Loading…
Reference in New Issue