import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared'
import { getCommonVideoEditAttributes } from './videos'
+import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'
const videoImportAddValidator = getCommonVideoEditAttributes().concat([
body('channelId')
return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' })
}
+ if (req.body.targetUrl) {
+ const hostname = new URL(req.body.targetUrl).hostname
+
+ if (isIPValid(hostname)) {
+ const parsed = parseIP(hostname)
+
+ if (parsed.range() !== 'unicast') {
+ cleanUpReqFiles(req)
+
+ return res.fail({
+ status: HttpStatusCode.FORBIDDEN_403,
+ message: 'Cannot use non unicast IP as targetUrl.'
+ })
+ }
+ }
+ }
+
if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req)
return next()
await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
})
+ it('Should fail with localhost', async function () {
+ const fields = { ...baseCorrectParams, targetUrl: 'http://localhost:8000' }
+
+ await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
+ })
+
+ it('Should fail with a private IP target urls', async function () {
+ const targetUrls = [
+ 'http://127.0.0.1:8000',
+ 'http://127.0.0.1',
+ 'http://127.0.0.1/hello',
+ 'https://192.168.1.42',
+ 'http://192.168.1.42'
+ ]
+
+ for (const targetUrl of targetUrls) {
+ const fields = { ...baseCorrectParams, targetUrl }
+
+ await makePostBodyRequest({
+ url: server.url,
+ path,
+ token: server.accessToken,
+ fields,
+ expectedStatus: HttpStatusCode.FORBIDDEN_403
+ })
+ }
+ })
+
it('Should fail with a long name', async function () {
const fields = { ...baseCorrectParams, name: 'super'.repeat(65) }