Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default

2025-10-11 12:42:29 +02:00 · 2023-03-22 20:25:51 +03:00
parent 24f4d43a0f
commit 1a9768a2c6
8 changed files with 110 additions and 18 deletions
--- a/security/source.go
+++ b/security/source.go
@@ -1,17 +1,57 @@
 package security

 import (
+	"errors"
+	"fmt"
+	"net"
+
 	"github.com/imgproxy/imgproxy/v3/config"
+	"github.com/imgproxy/imgproxy/v3/ierrors"
 )

-func VerifySourceURL(imageURL string) bool {
+var ErrSourceAddressNotAllowed = errors.New("source address is not allowed")
+var ErrInvalidSourceAddress = errors.New("invalid source address")
+
+func VerifySourceURL(imageURL string) error {
 	if len(config.AllowedSources) == 0 {
-		return true
+		return nil
 	}
+
 	for _, allowedSource := range config.AllowedSources {
 		if allowedSource.MatchString(imageURL) {
-			return true
+			return nil
 		}
 	}
-	return false
+
+	return ierrors.New(
+		404,
+		fmt.Sprintf("Source URL is not allowed: %s", imageURL),
+		"Invalid source",
+	)
+}
+
+func VerifySourceNetwork(addr string) error {
+	host, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		host = addr
+	}
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return ErrInvalidSourceAddress
+	}
+
+	if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
+		return ErrSourceAddressNotAllowed
+	}
+
+	if !config.AllowLinkLocalSourceAddresses && (ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()) {
+		return ErrSourceAddressNotAllowed
+	}
+
+	if !config.AllowPrivateSourceAddresses && ip.IsPrivate() {
+		return ErrSourceAddressNotAllowed
+	}
+
+	return nil
 }