fix: prevent previewing internal network web pages. (#4421)

f8c973c9 · MHZ · GitHub · 2aaaef79 · f8c973c9
Unverified Commit f8c973c9 authored Feb 19, 2025 by MHZ Committed by GitHub Feb 19, 2025
Show whitespace changes
Inline Side-by-side

Showing with 26 additions and 1 deletion

html_meta.go plugin/httpgetter/html_meta.go +26 -1

No files found.
--- a/plugin/httpgetter/html_meta.go
+++ b/plugin/httpgetter/html_meta.go
@@ -3,6 +3,7 @@ package httpgetter
 import (
 	"errors"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
@@ -17,7 +18,7 @@ type HTMLMeta struct {
 }
 func GetHTMLMeta(urlStr string) (*HTMLMeta, error) {
-	if _, err := url.Parse(urlStr); err != nil {
+	if err := validateURL(urlStr); err != nil {
 		return nil, err
 	}
@@ -35,6 +36,8 @@ func GetHTMLMeta(urlStr string) (*HTMLMeta, error) {
 		return nil, errors.New("not a HTML page")
 	}
+	// TODO: limit the size of the response body
 	htmlMeta := extractHTMLMeta(response.Body)
 	return htmlMeta, nil
 }
@@ -96,3 +99,25 @@ func extractMetaProperty(token html.Token, prop string) (content string, ok bool
 	}
 	return content, ok
 }
+func validateURL(urlStr string) error {
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		return errors.New("invalid URL format")
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return errors.New("only http/https protocols are allowed")
+	}
+	if host := u.Hostname(); host != "" {
+		ip := net.ParseIP(host)
+		if ip != nil {
+			if ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast() {
+				return errors.New("internal IP addresses are not allowed")
+			}
+		}
+	}
+	return nil
+}