2024-08-14 02:46:07 +02:00
|
|
|
/** ATTN: SECURITY RESEARCHERS
|
|
|
|
|
* To Security researchers about to submit an SSRF report CVE - please don't.
|
|
|
|
|
* We are aware that the code below is does not defend against any of the thousands of ways
|
2024-10-31 17:57:28 +01:00
|
|
|
* you can map a hostname to another IP via tunneling, hosts editing, etc. The code below does not have intention of blocking this
|
2024-08-14 02:46:07 +02:00
|
|
|
* and is simply to prevent the user from accidentally putting in non-valid websites, which is all this protects
|
|
|
|
|
* since _all urls must be submitted by the user anyway_ and cannot be done with authentication and manager or admin roles.
|
|
|
|
|
* If an attacker has those roles then the system is already vulnerable and this is not a primary concern.
|
2024-08-14 18:11:22 +02:00
|
|
|
*
|
2024-08-14 02:46:07 +02:00
|
|
|
* We have gotten this report may times, marked them as duplicate or information and continue to get them. We communicate
|
|
|
|
|
* already that deployment (and security) of an instance is on the deployer and system admin deploying it. This would include
|
|
|
|
|
* isolation, firewalls, and the general security of the instance.
|
2024-08-14 18:11:22 +02:00
|
|
|
*/
|
2024-08-14 02:46:07 +02:00
|
|
|
|
2024-01-11 21:29:00 +01:00
|
|
|
const VALID_PROTOCOLS = ["https:", "http:"];
|
2024-01-19 19:49:40 +01:00
|
|
|
const INVALID_OCTETS = [192, 172, 10, 127];
|
|
|
|
|
|
2024-10-31 17:57:28 +01:00
|
|
|
/**
|
|
|
|
|
* If an ip address is passed in the user is attempting to collector some internal service running on internal/private IP.
|
|
|
|
|
* This is not a security feature and simply just prevents the user from accidentally entering invalid IP addresses.
|
|
|
|
|
* @param {URL} param0
|
|
|
|
|
* @param {URL['hostname']} param0.hostname
|
|
|
|
|
* @returns {boolean}
|
|
|
|
|
*/
|
2024-01-19 19:49:40 +01:00
|
|
|
function isInvalidIp({ hostname }) {
|
|
|
|
|
const IPRegex = new RegExp(
|
|
|
|
|
/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/gi
|
|
|
|
|
);
|
2024-10-31 17:57:28 +01:00
|
|
|
|
|
|
|
|
// Not an IP address at all - passthrough
|
2024-01-19 19:49:40 +01:00
|
|
|
if (!IPRegex.test(hostname)) return false;
|
|
|
|
|
const [octetOne, ..._rest] = hostname.split(".");
|
|
|
|
|
|
|
|
|
|
// If fails to validate to number - abort and return as invalid.
|
|
|
|
|
if (isNaN(Number(octetOne))) return true;
|
2024-10-31 17:57:28 +01:00
|
|
|
|
|
|
|
|
// Allow localhost loopback and 0.0.0.0 for scraping convenience
|
|
|
|
|
// for locally hosted services or websites
|
|
|
|
|
if (["127.0.0.1", "0.0.0.0"].includes(hostname)) return false;
|
|
|
|
|
|
2024-01-19 19:49:40 +01:00
|
|
|
return INVALID_OCTETS.includes(Number(octetOne));
|
|
|
|
|
}
|
2024-01-11 21:29:00 +01:00
|
|
|
|
2023-12-15 00:14:56 +01:00
|
|
|
function validURL(url) {
|
|
|
|
|
try {
|
2024-01-11 21:29:00 +01:00
|
|
|
const destination = new URL(url);
|
|
|
|
|
if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
|
2024-01-19 19:49:40 +01:00
|
|
|
if (isInvalidIp(destination)) return false;
|
2023-12-15 00:14:56 +01:00
|
|
|
return true;
|
2024-08-14 18:11:22 +02:00
|
|
|
} catch {}
|
2023-12-15 00:14:56 +01:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
|
validURL,
|
|
|
|
|
};
|
