TOCTOU attacks issue

[shogo82148]

yoya-thumber prohibits loopback address, but it seems that there is Time Of Check to Time Of Use (TOCTOU) attacks issue.

In yoya-thumber/thumberd/thumberd.go

	u, err = url.Parse(imageUrl)

        // CHECK
	// these codes are referencing net/http/transport.go useProxy method.
	if err != nil {
		return nil, err
	}
	if u.Host == "localhost" {
		return nil, errors.New("localhost is prohibited.")
	}
	if ip := net.ParseIP(u.Host); ip != nil {
		if ip.IsLoopback() {
			return nil, errors.New("loopback address is prohibited.")
		}
	}

        // Attacker may change DNS record

        // USE
	req, err := http.NewRequest("GET", imageUrl, nil)

SEE ALSO

• Goによるプライベートネットワークへのアクセスを禁止するHTTPクライアントの実装(written in Japanese)
• To prevent TOCTOU attacks, use checked IP addr directly for connections hakobe/paranoidhttp#1

[tkng]

Hi, thanks to notify this issue.

Using paranoidhttp is apparently better solution, I'll try it.

[tkng]

I tried to replace yota-thumber's http client with paranoidhttp, but aborted. Paranoidhttp doesn't support IPv6. I couldn't estimate the extent of the impact when we dropped IPv6 support.

There are several possible solutions.

1. Investigate the rate of "IPv6 only" site from log files. If it is low enough, then we'll be able to replace the http client with paranoidhttp.
2. Make a pull request to support IPv6 to paranoidhttp.

I think that it's better to choose the 2nd option.