From 576e4121be57e668abb4a0095e352a749885356d Mon Sep 17 00:00:00 2001 From: DVD Date: Wed, 12 Jul 2023 09:26:15 +0800 Subject: [PATCH 1/9] Disable signature check --- packages/client/src/pages/settings/import-export.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/client/src/pages/settings/import-export.vue b/packages/client/src/pages/settings/import-export.vue index b2ac12cad0..4a92867486 100644 --- a/packages/client/src/pages/settings/import-export.vue +++ b/packages/client/src/pages/settings/import-export.vue @@ -222,7 +222,7 @@ const importPosts = async (ev) => { const file = await selectFile(ev.currentTarget ?? ev.target); os.api("i/import-posts", { fileId: file.id, - signatureCheck: importType.value === "mastodon" ? true : false, + signatureCheck: false, }) .then(onImportSuccess) .catch(onError); From d64389543c9a1abc78968d12ac6196807a170ea5 Mon Sep 17 00:00:00 2001 From: ThatOneCalculator Date: Sat, 15 Jul 2023 14:13:21 -0700 Subject: [PATCH 2/9] fix: :lock: prevent potential SSRF through media proxy --- packages/backend/src/misc/download-url.ts | 3 +- .../backend/src/server/proxy/proxy-media.ts | 36 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/packages/backend/src/misc/download-url.ts b/packages/backend/src/misc/download-url.ts index 7fafb635ba..b96871e72e 100644 --- a/packages/backend/src/misc/download-url.ts +++ b/packages/backend/src/misc/download-url.ts @@ -21,9 +21,10 @@ export async function downloadUrl(url: string, path: string): Promise { const maxSize = config.maxFileSize || 262144000; const req = got - .stream(url, { + .stream(url, { headers: { "User-Agent": config.userAgent, + "Host": new URL(url).hostname, }, timeout: { lookup: timeout, diff --git a/packages/backend/src/server/proxy/proxy-media.ts b/packages/backend/src/server/proxy/proxy-media.ts index a9c257bfeb..b3bb031244 100644 --- a/packages/backend/src/server/proxy/proxy-media.ts +++ b/packages/backend/src/server/proxy/proxy-media.ts @@ -1,4 +1,6 @@ import * as fs from "node:fs"; +import net from "node:net"; +import { promises } from "node:dns"; import type Koa from "koa"; import sharp from "sharp"; import type { IImage } from "@/services/drive/image-processor.js"; @@ -19,6 +21,40 @@ export async function proxyMedia(ctx: Koa.Context) { return; } + const { hostname } = new URL(url); + let resolvedIps; + try { + resolvedIps = await promises.resolve(hostname); + } catch (error) { + ctx.status = 400; + ctx.body = { message: "Invalid URL" }; + return; + } + + const isSSRF = resolvedIps.some((ip) => { + if (net.isIPv4(ip)) { + const parts = ip.split(".").map(Number); + return ( + parts[0] === 10 || + (parts[0] === 172 && parts[1] >= 16 && parts[1] < 32) || + (parts[0] === 192 && parts[1] === 168) || + parts[0] === 127 || + parts[0] === 0 + ); + } else if (net.isIPv6(ip)) { + return ( + ip.startsWith("::") || ip.startsWith("fc00:") || ip.startsWith("fe80:") + ); + } + return false; + }); + + if (isSSRF) { + ctx.status = 400; + ctx.body = { message: "Access to this URL is not allowed" }; + return; + } + // Create temp file const [path, cleanup] = await createTemp(); From e38facfb7b0384f4d3c71a8c36ad0901e645d33a Mon Sep 17 00:00:00 2001 From: DVD Date: Sun, 16 Jul 2023 21:54:42 +0800 Subject: [PATCH 3/9] Fix: Quicktime Video Play on Chrome --- packages/client/src/components/MkMedia.vue | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/packages/client/src/components/MkMedia.vue b/packages/client/src/components/MkMedia.vue index 4c023f1310..2cbb881f35 100644 --- a/packages/client/src/components/MkMedia.vue +++ b/packages/client/src/components/MkMedia.vue @@ -54,7 +54,7 @@ controls @contextmenu.stop > - + @@ -80,7 +80,7 @@