addresses #2498: Protect source downloader against server-side request forgery attacks

2015-08-18 12:25:26 -07:00
parent 767b11d4b5
commit 407523b04c
2 changed files with 14 additions and 0 deletions
--- a/app/logical/downloads/file.rb
+++ b/app/logical/downloads/file.rb
@@ -63,6 +63,13 @@ module Downloads
      src
    end

+    def validate_local_hosts(url)
+      ip_addr = Resolv.getaddress(url.hostname)
+      if Danbooru.config.banned_ip_for_download?(ip_addr)
+        raise Error.new("Banned server for download")
+      end
+    end
+
    def http_get_streaming(src, datums = {}, options = {})
      max_size = options[:max_size] || Danbooru.config.max_file_size
      max_size = nil if max_size == 0 # unlimited
@@ -81,6 +88,8 @@ module Downloads
        src, headers, datums = before_download(src, headers, datums)
        url = URI.parse(src)

+        validate_local_hosts(url)
+
        begin
          Net::HTTP.start(url.host, url.port, :use_ssl => url.is_a?(URI::HTTPS)) do |http|
            http.read_timeout = 10
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -359,5 +359,10 @@ module Danbooru
    def enable_post_search_counts
      false
    end
+
+    # For downloads, if the host matches any of these IPs, block it
+    def banned_ip_for_download?(ip_addr)
+      ip_addr =~ /^(?:127\.0\.0\.1|::1|169\.254\.\d+\.\d+|fe80::.*)$/
+    end
  end
 end