mirror of
https://github.com/imgproxy/imgproxy.git
synced 2025-01-08 10:45:04 +02:00
58 lines
1.1 KiB
Go
58 lines
1.1 KiB
Go
package security
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
|
|
"github.com/imgproxy/imgproxy/v3/config"
|
|
"github.com/imgproxy/imgproxy/v3/ierrors"
|
|
)
|
|
|
|
var ErrSourceAddressNotAllowed = errors.New("source address is not allowed")
|
|
var ErrInvalidSourceAddress = errors.New("invalid source address")
|
|
|
|
func VerifySourceURL(imageURL string) error {
|
|
if len(config.AllowedSources) == 0 {
|
|
return nil
|
|
}
|
|
|
|
for _, allowedSource := range config.AllowedSources {
|
|
if allowedSource.MatchString(imageURL) {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
return ierrors.New(
|
|
404,
|
|
fmt.Sprintf("Source URL is not allowed: %s", imageURL),
|
|
"Invalid source",
|
|
)
|
|
}
|
|
|
|
func VerifySourceNetwork(addr string) error {
|
|
host, _, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
host = addr
|
|
}
|
|
|
|
ip := net.ParseIP(host)
|
|
if ip == nil {
|
|
return ErrInvalidSourceAddress
|
|
}
|
|
|
|
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
|
|
return ErrSourceAddressNotAllowed
|
|
}
|
|
|
|
if !config.AllowLinkLocalSourceAddresses && (ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast()) {
|
|
return ErrSourceAddressNotAllowed
|
|
}
|
|
|
|
if !config.AllowPrivateSourceAddresses && ip.IsPrivate() {
|
|
return ErrSourceAddressNotAllowed
|
|
}
|
|
|
|
return nil
|
|
}
|