public/once-campfire
1
0
Fork 0
mirror of https://github.com/basecamp/once-campfire.git synced 2026-04-09 06:27:49 +09:00
Code Issues Packages Projects Releases Wiki Activity

Disallow SSRF via IPv6 addresses mapped to IPv4 addresses

Browse Source
This commit is contained in:
Stanko K.R.
2025-12-03 08:08:34 +01:00
parent 5667262d1c
commit 0672673916
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/restricted_http/private_network_guard.rb
View File

@@ -16,7 +16,7 @@ module RestrictedHTTP
def private_ip?(ip)
IPAddr.new(ip).then do |ipaddr|
ipaddr.private? || ipaddr.loopback? || ipaddr.link_local? || LOCAL_IP.include?(ipaddr)
ipaddr.private? || ipaddr.loopback? || ipaddr.link_local? || ipaddr.ipv4_mapped? || LOCAL_IP.include?(ipaddr)
end
rescue IPAddr::InvalidAddressError
true

14
test/models/opengraph/location_test.rb
View File

@@ -29,6 +29,20 @@ class Opengraph::LocationTest < ActiveSupport::TestCase
assert_equal [ "is not public" ], location.errors[:url]
end
test "IPv6 addresses mapped to IPv4 addresses are blocked" do
Resolv.stubs(:getaddress).with("metadata.internal").returns("::ffff:192.168.1.1")
location = Opengraph::Location.new("https://metadata.internal")
assert_not location.valid?
assert_equal [ "is not public" ], location.errors[:url]
Resolv.stubs(:getaddress).with("metadata.internal").returns("::ffff:c0a8:0101")
location = Opengraph::Location.new("https://metadata.internal")
assert_not location.valid?
assert_equal [ "is not public" ], location.errors[:url]
end
test "avoid reading file urls when expecting HTML" do
large_file = Opengraph::Location.new("https://www.example.com/100gb.zip")