From 407523b04cb3101c558294607adeb9858221dd8c Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Tue, 18 Aug 2015 12:25:26 -0700
Subject: [PATCH] addresses #2498: Protect source downloader against
 server-side request forgery attacks

---
 app/logical/downloads/file.rb     | 9 +++++++++
 config/danbooru_default_config.rb | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/app/logical/downloads/file.rb b/app/logical/downloads/file.rb
index a4141a53b..cfae3e5a2 100644
--- a/app/logical/downloads/file.rb
+++ b/app/logical/downloads/file.rb
@@ -63,6 +63,13 @@ module Downloads
       src
     end
 
+    def validate_local_hosts(url)
+      ip_addr = Resolv.getaddress(url.hostname)
+      if Danbooru.config.banned_ip_for_download?(ip_addr)
+        raise Error.new("Banned server for download")
+      end
+    end
+
     def http_get_streaming(src, datums = {}, options = {})
       max_size = options[:max_size] || Danbooru.config.max_file_size
       max_size = nil if max_size == 0 # unlimited
@@ -81,6 +88,8 @@ module Downloads
         src, headers, datums = before_download(src, headers, datums)
         url = URI.parse(src)
 
+        validate_local_hosts(url)
+
         begin
           Net::HTTP.start(url.host, url.port, :use_ssl => url.is_a?(URI::HTTPS)) do |http|
             http.read_timeout = 10
diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb
index d884ba8fa..542d2c3a2 100644
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -359,5 +359,10 @@ module Danbooru
     def enable_post_search_counts
       false
     end
+
+    # For downloads, if the host matches any of these IPs, block it
+    def banned_ip_for_download?(ip_addr)
+      ip_addr =~ /^(?:127\.0\.0\.1|::1|169\.254\.\d+\.\d+|fe80::.*)$/
+    end
   end
 end