addresses #2498: Protect source downloader against server-side request forgery attacks

app/logical/downloads/file.rb

@@ -63,6 +63,13 @@ module Downloads
       src
     end
 
+    def validate_local_hosts(url)
+      ip_addr = Resolv.getaddress(url.hostname)
+      if Danbooru.config.banned_ip_for_download?(ip_addr)
+        raise Error.new("Banned server for download")
+      end
+    end
+
     def http_get_streaming(src, datums = {}, options = {})
       max_size = options[:max_size] || Danbooru.config.max_file_size
       max_size = nil if max_size == 0 # unlimited
@@ -81,6 +88,8 @@ module Downloads
         src, headers, datums = before_download(src, headers, datums)
         url = URI.parse(src)
 
+        validate_local_hosts(url)
+
         begin
           Net::HTTP.start(url.host, url.port, :use_ssl => url.is_a?(URI::HTTPS)) do |http|
             http.read_timeout = 10

config/danbooru_default_config.rb

@@ -359,5 +359,10 @@ module Danbooru
     def enable_post_search_counts
       false
     end
+
+    # For downloads, if the host matches any of these IPs, block it
+    def banned_ip_for_download?(ip_addr)
+      ip_addr =~ /^(?:127\.0\.0\.1|::1|169\.254\.\d+\.\d+|fe80::.*)$/
+    end
   end
 end