From a167091bf9e1b93e6a3628316d37aeff77d601a3 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sat, 12 Nov 2022 02:39:44 -0600
Subject: [PATCH] Danbooru::Http: fix bug when using proxy option.

Fix external HTTP requests not working when the HTTP proxy was enabled. Caused by the `public_only`
option (which prevents SSRF attacks by validating that the URL doesn't resolve to a local IP) being
incompatible with the `proxy` option.
---
 app/logical/danbooru/http.rb      | 8 +++++++-
 config/danbooru_default_config.rb | 4 ++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/logical/danbooru/http.rb b/app/logical/danbooru/http.rb
index a089aca8d..849cc38f7 100644
--- a/app/logical/danbooru/http.rb
+++ b/app/logical/danbooru/http.rb
@@ -55,7 +55,13 @@ module Danbooru
 
     # The default HTTP client for requests to external websites. This includes API calls to external services, fetching source data, and downloading images.
     def self.external
-      new.proxy.public_only.headers("User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0")
+      if Danbooru.config.http_proxy.present?
+        # XXX The `proxy` option is incompatible with the `public_only` option. When using a proxy, the proxy itself
+        # should be configured to block HTTP requests to IPs on the local network.
+        new.proxy.headers("User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0")
+      else
+        new.public_only.headers("User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0")
+      end
     end
 
     # The default HTTP client for API calls to internal services controlled by Danbooru.
diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb
index 326dd9844..1c96ff94a 100644
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -579,6 +579,10 @@ module Danbooru
     end
 
     # The proxy to use for outgoing HTTP requests.
+    #
+    # If you use a proxy and you're running a public-facing site, you should be careful to configure the proxy to block
+    # HTTP requests to the local network. That is, block requests to e.g. 127.0.0.1 and 192.168.0.1/24 so that users
+    # can't upload URLs like `http://192.168.0.1.nip.io/` to trigger HTTP requests to servers inside your local network.
     def http_proxy
       # "http://username:password@proxy.example.com:1080"
     end