fix: disable redirects to guard against possible SSRFs

3 years ago · f40135dbf2
2 changed files with 15 additions and 2 deletions
--- a/activitypub/webfinger/webfinger.go
+++ b/activitypub/webfinger/webfinger.go
@ -29,7 +29,14 @@ func GetWebfingerLinks(account string) ([]map[string]interface{}, error) {
				@@ -29,7 +29,14 @@ func GetWebfingerLinks(account string) ([]map[string]interface{}, error) {
 	query.Add("resource", fmt.Sprintf("acct:%s", account))
 	requestURL.RawQuery = query.Encode()

-	response, err := http.DefaultClient.Get(requestURL.String())
+	// Do not support redirects.
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	response, err := client.Get(requestURL.String())
 	if err != nil {
 		return nil, err
 	}
--- a/auth/indieauth/client.go
+++ b/auth/indieauth/client.go
@ -80,7 +80,13 @@ func HandleCallbackCode(code, state string) (*Request, *Response, error) {
				@@ -80,7 +80,13 @@ func HandleCallbackCode(code, state string) (*Request, *Response, error) {
 	data.Set("redirect_uri", request.Callback.String())
 	data.Set("code_verifier", request.CodeVerifier)

-	client := &http.Client{}
+	// Do not support redirects.
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
 	r, err := http.NewRequest("POST", request.Endpoint.String(), strings.NewReader(data.Encode())) // URL-encoded payload
 	if err != nil {
 		return nil, nil, err