Prevent private octets from link collection for self-hosted (#626)

2025-04-17 18:18:11 +00:00 · 2024-01-19 10:49:40 -08:00 · 2024-01-19 10:49:40 -08:00 · 0db6c3b2aa
commit 0db6c3b2aa
parent 0efb3ab54c
2 changed files with 15 additions and 4 deletions
--- a/collector/utils/url/index.js
+++ b/collector/utils/url/index.js
@ -1,9 +1,23 @@
 const VALID_PROTOCOLS = ["https:", "http:"];
+const INVALID_OCTETS = [192, 172, 10, 127];
+
+function isInvalidIp({ hostname }) {
+  const IPRegex = new RegExp(
+    /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/gi
+  );
+  if (!IPRegex.test(hostname)) return false;
+  const [octetOne, ..._rest] = hostname.split(".");
+
+  // If fails to validate to number - abort and return as invalid.
+  if (isNaN(Number(octetOne))) return true;
+  return INVALID_OCTETS.includes(Number(octetOne));
+}

 function validURL(url) {
  try {
    const destination = new URL(url);
    if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
+    if (isInvalidIp(destination)) return false;
    return true;
  } catch {}
  return false;
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@ -16,10 +16,7 @@ const {
  multiUserMode,
  queryParams,
 } = require("../utils/http");
-const {
-  setupLogoUploads,
-  setupPfpUploads,
-} = require("../utils/files/multer");
+const { setupLogoUploads, setupPfpUploads } = require("../utils/files/multer");
 const { v4 } = require("uuid");
 const { SystemSettings } = require("../models/systemSettings");
 const { User } = require("../models/user");