Browse Source

Prevent video import on non unicast ips

release/4.0.0
Chocobozzz 2 weeks ago
parent
commit
7b54a81ccc
No known key found for this signature in database GPG Key ID: 583A612D890159BE
2 changed files with 46 additions and 0 deletions
  1. +18
    -0
      server/middlewares/validators/videos/video-imports.ts
  2. +28
    -0
      server/tests/api/check-params/video-imports.ts

+ 18
- 0
server/middlewares/validators/videos/video-imports.ts View File

@@ -13,6 +13,7 @@ import { CONFIG } from '../../../initializers/config'
import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared'
import { getCommonVideoEditAttributes } from './videos'
import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'

const videoImportAddValidator = getCommonVideoEditAttributes().concat([
body('channelId')
@@ -71,6 +72,23 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' })
}

if (req.body.targetUrl) {
const hostname = new URL(req.body.targetUrl).hostname

if (isIPValid(hostname)) {
const parsed = parseIP(hostname)

if (parsed.range() !== 'unicast') {
cleanUpReqFiles(req)

return res.fail({
status: HttpStatusCode.FORBIDDEN_403,
message: 'Cannot use non unicast IP as targetUrl.'
})
}
}
}

if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req)

return next()


+ 28
- 0
server/tests/api/check-params/video-imports.ts View File

@@ -108,6 +108,34 @@ describe('Test video imports API validator', function () {
await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
})

it('Should fail with localhost', async function () {
const fields = { ...baseCorrectParams, targetUrl: 'http://localhost:8000' }

await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
})

it('Should fail with a private IP target urls', async function () {
const targetUrls = [
'http://127.0.0.1:8000',
'http://127.0.0.1',
'http://127.0.0.1/hello',
'https://192.168.1.42',
'http://192.168.1.42'
]

for (const targetUrl of targetUrls) {
const fields = { ...baseCorrectParams, targetUrl }

await makePostBodyRequest({
url: server.url,
path,
token: server.accessToken,
fields,
expectedStatus: HttpStatusCode.FORBIDDEN_403
})
}
})

it('Should fail with a long name', async function () {
const fields = { ...baseCorrectParams, name: 'super'.repeat(65) }



Loading…
Cancel
Save