fix: 🔒 prevent potential SSRF through media proxy
This commit is contained in:
parent
9c2264fb8e
commit
d64389543c
2 changed files with 38 additions and 1 deletions
|
@ -21,9 +21,10 @@ export async function downloadUrl(url: string, path: string): Promise<void> {
|
||||||
const maxSize = config.maxFileSize || 262144000;
|
const maxSize = config.maxFileSize || 262144000;
|
||||||
|
|
||||||
const req = got
|
const req = got
|
||||||
.stream(url, {
|
.stream(url, {
|
||||||
headers: {
|
headers: {
|
||||||
"User-Agent": config.userAgent,
|
"User-Agent": config.userAgent,
|
||||||
|
"Host": new URL(url).hostname,
|
||||||
},
|
},
|
||||||
timeout: {
|
timeout: {
|
||||||
lookup: timeout,
|
lookup: timeout,
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
import * as fs from "node:fs";
|
import * as fs from "node:fs";
|
||||||
|
import net from "node:net";
|
||||||
|
import { promises } from "node:dns";
|
||||||
import type Koa from "koa";
|
import type Koa from "koa";
|
||||||
import sharp from "sharp";
|
import sharp from "sharp";
|
||||||
import type { IImage } from "@/services/drive/image-processor.js";
|
import type { IImage } from "@/services/drive/image-processor.js";
|
||||||
|
@ -19,6 +21,40 @@ export async function proxyMedia(ctx: Koa.Context) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const { hostname } = new URL(url);
|
||||||
|
let resolvedIps;
|
||||||
|
try {
|
||||||
|
resolvedIps = await promises.resolve(hostname);
|
||||||
|
} catch (error) {
|
||||||
|
ctx.status = 400;
|
||||||
|
ctx.body = { message: "Invalid URL" };
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const isSSRF = resolvedIps.some((ip) => {
|
||||||
|
if (net.isIPv4(ip)) {
|
||||||
|
const parts = ip.split(".").map(Number);
|
||||||
|
return (
|
||||||
|
parts[0] === 10 ||
|
||||||
|
(parts[0] === 172 && parts[1] >= 16 && parts[1] < 32) ||
|
||||||
|
(parts[0] === 192 && parts[1] === 168) ||
|
||||||
|
parts[0] === 127 ||
|
||||||
|
parts[0] === 0
|
||||||
|
);
|
||||||
|
} else if (net.isIPv6(ip)) {
|
||||||
|
return (
|
||||||
|
ip.startsWith("::") || ip.startsWith("fc00:") || ip.startsWith("fe80:")
|
||||||
|
);
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
});
|
||||||
|
|
||||||
|
if (isSSRF) {
|
||||||
|
ctx.status = 400;
|
||||||
|
ctx.body = { message: "Access to this URL is not allowed" };
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Create temp file
|
// Create temp file
|
||||||
const [path, cleanup] = await createTemp();
|
const [path, cleanup] = await createTemp();
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue