Downloads::File: fix SSRF when following redirects (#2498).

Fixes the banned IP check not being applied when following redirects: http://danbooru.donmai.us/uploads/new?url=http://httpbin.org/redirect-to%3Furl=http://127.0.0.1/test.jpg
2018-09-18 16:00:03 -05:00
parent 99221e4028
commit 2f17082e73
2 changed files with 43 additions and 17 deletions
--- a/test/unit/downloads/file_test.rb
+++ b/test/unit/downloads/file_test.rb
@@ -11,12 +11,27 @@ module Downloads
      context "for a banned IP" do
        should "prevent downloads" do
          Resolv.expects(:getaddress).returns("127.0.0.1")
-          assert_raise(ActiveModel::ValidationError) { Downloads::File.new("http://evil.com").download! }
+          assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").download! }
        end

        should "prevent fetching the size" do
          Resolv.expects(:getaddress).returns("127.0.0.1")
-          assert_raise(ActiveModel::ValidationError) { Downloads::File.new("http://evil.com").size }
+          assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").size }
+        end
+
+        should "not follow redirects to banned IPs" do
+          url = "http://httpbin.org/redirect-to?url=http://127.0.0.1"
+          stub_request(:get, url).to_return(status: 301, headers: { "Location": "http://127.0.0.1" })
+
+          assert_raise(Downloads::File::Error) { Downloads::File.new(url).download! }
+        end
+
+        should "not follow redirects that resolve to a banned IP" do
+          url = "http://httpbin.org/redirect-to?url=http://127.0.0.1.nip.io"
+          stub_request(:get, url).to_return(status: 301, headers: { "Location": "http://127.0.0.1.xip.io" })
+          Resolv.expects(:getaddress).returns("127.0.0.1")
+
+          assert_raise(Downloads::File::Error) { Downloads::File.new(url).download! }
        end
      end