Security: Block unroutable addresses

See matrix-org/synapse#5134
t2bot · May 4, 2019 · e454733 · e454733
1 parent 78d3ee4
commit e454733
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/src/github.com/turt2live/matrix-media-repo/common/config/config.go b/src/github.com/turt2live/matrix-media-repo/common/config/config.go
@@ -252,6 +252,9 @@ func NewDefaultConfig() *MediaRepoConfig {
 				"192.168.0.0/16",
 				"100.64.0.0/10",
 				"169.254.0.0/16",
+				"::1/128",
+				"fe80::/64",
+				"fc00::/7",
 			},
 			AllowedNetworks: []string{
 				"0.0.0.0/0", // "Everything"

diff --git a/...thub.com/turt2live/matrix-media-repo/controllers/preview_controller/preview_controller.go b/...thub.com/turt2live/matrix-media-repo/controllers/preview_controller/preview_controller.go
@@ -78,6 +78,11 @@ func GetPreview(urlStr string, onHost string, forUserId string, atTs int64, ctx
 	if deniedCidrs == nil {
 		deniedCidrs = []string{}
 	}
+
+	// Forcefully append 0.0.0.0 and :: because they are unroutable and resolve to localhost
+	deniedCidrs = append(deniedCidrs, "0.0.0.0/32")
+	deniedCidrs = append(deniedCidrs, "::/128")
+
 	if !isAllowed(addr, allowedCidrs, deniedCidrs, log) {
 		db.InsertPreviewError(urlStr, common.ErrCodeHostBlacklisted)
 		return nil, common.ErrHostBlacklisted