Block Private URLs at `serverurl` API endpoint (#3295)

* Block Private URLs at `serverurl` API endpoint * Block Private URLs at `serverurl` with `net/netip`
2 years ago · 062de79920
2 changed files with 19 additions and 0 deletions
--- a/controllers/admin/config.go
+++ b/controllers/admin/config.go
@ -5,6 +5,7 @@ import (
				@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"reflect"
@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
				@@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Block Private IP URLs
+	ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
+
+	if ipErr == nil && ipAddr.IsPrivate() {
+		controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
+		return
+	}
+
 	// Trim any trailing slash
 	serverURL := strings.TrimRight(rawValue, "/")

--- a/utils/utils.go
+++ b/utils/utils.go
@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
				@@ -379,6 +379,16 @@ func GetHostnameFromURLString(s string) string {
 	return u.Host
 }

+// GetHostnameWithoutPortFromURLString will return the hostname component without the port from a URL object.
+func GetHostnameWithoutPortFromURLString(s string) string {
+	u, err := url.Parse(s)
+	if err != nil {
+		return ""
+	}
+
+	return u.Hostname()
+}
+
 // GetHashtagsFromText returns all the #Hashtags from a string.
 func GetHashtagsFromText(text string) []string {
 	re := regexp.MustCompile(`#[a-zA-Z0-9_]+`)