public/once-campfire
1
0
Fork 0
mirror of https://github.com/basecamp/once-campfire.git synced 2026-05-04 01:44:28 +09:00
Code Issues Packages Projects Releases Wiki Activity

Security: disallow blind SSRF to link-local IPs via URL unfurling

Browse Source
This commit is contained in:
Jeremy Daer
2025-12-02 21:33:44 -08:00
parent 1babf3f9ed
commit 5667262d1c
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/restricted_http/private_network_guard.rb
View File

@@ -16,7 +16,7 @@ module RestrictedHTTP
def private_ip?(ip)
IPAddr.new(ip).then do |ipaddr|
ipaddr.private? || ipaddr.loopback? || LOCAL_IP.include?(ipaddr)
ipaddr.private? || ipaddr.loopback? || ipaddr.link_local? || LOCAL_IP.include?(ipaddr)
end
rescue IPAddr::InvalidAddressError
true

8
test/models/opengraph/location_test.rb
View File

@@ -21,6 +21,14 @@ class Opengraph::LocationTest < ActiveSupport::TestCase
assert_equal [ "is not public" ], location.errors[:url]
end
test "link-local addresses are blocked" do
Resolv.stubs(:getaddress).with("metadata.internal").returns("169.254.169.254")
location = Opengraph::Location.new("https://metadata.internal")
assert_not location.valid?
assert_equal [ "is not public" ], location.errors[:url]
end
test "avoid reading file urls when expecting HTML" do
large_file = Opengraph::Location.new("https://www.example.com/100gb.zip")