Prevent private octets from link collection for self-hosted (#626)

Mintplex-Labs · Jan 19, 2024 · 0db6c3b · 0db6c3b
1 parent 0efb3ab
commit 0db6c3b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/collector/utils/url/index.js b/collector/utils/url/index.js
@@ -1,9 +1,23 @@
 const VALID_PROTOCOLS = ["https:", "http:"];
+const INVALID_OCTETS = [192, 172, 10, 127];
+
+function isInvalidIp({ hostname }) {
+  const IPRegex = new RegExp(
+    /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/gi
+  );
+  if (!IPRegex.test(hostname)) return false;
+  const [octetOne, ..._rest] = hostname.split(".");
+
+  // If fails to validate to number - abort and return as invalid.
+  if (isNaN(Number(octetOne))) return true;
+  return INVALID_OCTETS.includes(Number(octetOne));
+}
 
 function validURL(url) {
   try {
     const destination = new URL(url);
     if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
+    if (isInvalidIp(destination)) return false;
     return true;
   } catch {}
   return false;

diff --git a/server/endpoints/system.js b/server/endpoints/system.js
@@ -16,10 +16,7 @@ const {
   multiUserMode,
   queryParams,
 } = require("../utils/http");
-const {
-  setupLogoUploads,
-  setupPfpUploads,
-} = require("../utils/files/multer");
+const { setupLogoUploads, setupPfpUploads } = require("../utils/files/multer");
 const { v4 } = require("uuid");
 const { SystemSettings } = require("../models/systemSettings");
 const { User } = require("../models/user");