From e4547338007bdcc67c52608621b44481e3844529 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Fri, 3 May 2019 18:18:05 -0600 Subject: [PATCH] Security: Block unroutable addresses See https://github.com/matrix-org/synapse/pull/5134 --- .../turt2live/matrix-media-repo/common/config/config.go | 3 +++ .../controllers/preview_controller/preview_controller.go | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/src/github.com/turt2live/matrix-media-repo/common/config/config.go b/src/github.com/turt2live/matrix-media-repo/common/config/config.go index e0ca7b6b..ac175480 100644 --- a/src/github.com/turt2live/matrix-media-repo/common/config/config.go +++ b/src/github.com/turt2live/matrix-media-repo/common/config/config.go @@ -252,6 +252,9 @@ func NewDefaultConfig() *MediaRepoConfig { "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16", + "::1/128", + "fe80::/64", + "fc00::/7", }, AllowedNetworks: []string{ "0.0.0.0/0", // "Everything" diff --git a/src/github.com/turt2live/matrix-media-repo/controllers/preview_controller/preview_controller.go b/src/github.com/turt2live/matrix-media-repo/controllers/preview_controller/preview_controller.go index ba565626..ec0ebeda 100644 --- a/src/github.com/turt2live/matrix-media-repo/controllers/preview_controller/preview_controller.go +++ b/src/github.com/turt2live/matrix-media-repo/controllers/preview_controller/preview_controller.go @@ -78,6 +78,11 @@ func GetPreview(urlStr string, onHost string, forUserId string, atTs int64, ctx if deniedCidrs == nil { deniedCidrs = []string{} } + + // Forcefully append 0.0.0.0 and :: because they are unroutable and resolve to localhost + deniedCidrs = append(deniedCidrs, "0.0.0.0/32") + deniedCidrs = append(deniedCidrs, "::/128") + if !isAllowed(addr, allowedCidrs, deniedCidrs, log) { db.InsertPreviewError(urlStr, common.ErrCodeHostBlacklisted) return nil, common.ErrHostBlacklisted