go/imgproxy
1
0
Fork 0
mirror of https://github.com/imgproxy/imgproxy.git synced 2025-12-23 22:11:10 +02:00
Code Releases Activity
Files
better-errors
imgproxy/security/source.go

49 lines
1.1 KiB
Go
Raw Permalink Normal View History

Global refactoring
2021-04-26 17:52:50 +06:00
package security
import (
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
"fmt"
"net"
Bump version
2021-09-30 20:23:30 +06:00
"github.com/imgproxy/imgproxy/v3/config"
Global refactoring
2021-04-26 17:52:50 +06:00
)
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
func VerifySourceURL(imageURL string) error {
Global refactoring
2021-04-26 17:52:50 +06:00
if len(config.AllowedSources) == 0 {
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
return nil
Global refactoring
2021-04-26 17:52:50 +06:00
}
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
Merge branch 'master' into version/3
2021-09-07 19:04:33 +06:00
for _, allowedSource := range config.AllowedSources {
if allowedSource.MatchString(imageURL) {
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
return nil
Global refactoring
2021-04-26 17:52:50 +06:00
}
}
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
Revised errors for better error reporting
2025-02-17 22:11:40 +03:00
return newSourceURLError(imageURL)
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
}
func VerifySourceNetwork(addr string) error {
host, _, err := net.SplitHostPort(addr)
if err != nil {
host = addr
}
ip := net.ParseIP(host)
if ip == nil {
Revised errors for better error reporting
2025-02-17 22:11:40 +03:00
return newSourceAddressError(fmt.Sprintf("Invalid source address: %s", addr))
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
}
Fix for GHSA-j2hp-6m75-v4j4
2025-01-19 11:11:57 -08:00
if !config.AllowLoopbackSourceAddresses && (ip.IsLoopback() || ip.IsUnspecified()) {
Revised errors for better error reporting
2025-02-17 22:11:40 +03:00
return newSourceAddressError(fmt.Sprintf("Loopback source address is not allowed: %s", addr))
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
}
if !config.AllowLinkLocalSourceAddresses && (ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()) {
Revised errors for better error reporting
2025-02-17 22:11:40 +03:00
return newSourceAddressError(fmt.Sprintf("Link-local source address is not allowed: %s", addr))
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
}
if !config.AllowPrivateSourceAddresses && ip.IsPrivate() {
Revised errors for better error reporting
2025-02-17 22:11:40 +03:00
return newSourceAddressError(fmt.Sprintf("Private source address is not allowed: %s", addr))
Prohibit connecting to loopback, link-local multicast, and link-local unicast IP addresses by default
2023-03-22 20:25:51 +03:00
}
return nil
Global refactoring
2021-04-26 17:52:50 +06:00
}
Copy Permalink