aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-02-07 11:21:25 +0100
committerChocobozzz <me@florianbigard.com>2022-02-07 11:21:25 +0100
commitf33e515991a32885622b217bf2ed1d1b0d9d6832 (patch)
tree43bf9e63c821f2b363ee60e8b1de07ab7c883580 /server/middlewares
parent4afec7357129590b0e0f3558ecb9ac20e0903600 (diff)
downloadPeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.gz
PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.zst
PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.zip
Correctly check import target URL IP
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/validators/videos/video-imports.ts18
1 files changed, 7 insertions, 11 deletions
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index a3a5cc531..9c6d213c4 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -1,6 +1,6 @@
1import express from 'express' 1import express from 'express'
2import { body, param } from 'express-validator' 2import { body, param } from 'express-validator'
3import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js' 3import { isResolvingToUnicastOnly } from '@server/helpers/dns'
4import { isPreImportVideoAccepted } from '@server/lib/moderation' 4import { isPreImportVideoAccepted } from '@server/lib/moderation'
5import { Hooks } from '@server/lib/plugins/hooks' 5import { Hooks } from '@server/lib/plugins/hooks'
6import { MUserAccountId, MVideoImport } from '@server/types/models' 6import { MUserAccountId, MVideoImport } from '@server/types/models'
@@ -76,17 +76,13 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
76 if (req.body.targetUrl) { 76 if (req.body.targetUrl) {
77 const hostname = new URL(req.body.targetUrl).hostname 77 const hostname = new URL(req.body.targetUrl).hostname
78 78
79 if (isIPValid(hostname)) { 79 if (await isResolvingToUnicastOnly(hostname) !== true) {
80 const parsed = parseIP(hostname) 80 cleanUpReqFiles(req)
81 81
82 if (parsed.range() !== 'unicast') { 82 return res.fail({
83 cleanUpReqFiles(req) 83 status: HttpStatusCode.FORBIDDEN_403,
84 84 message: 'Cannot use non unicast IP as targetUrl.'
85 return res.fail({ 85 })
86 status: HttpStatusCode.FORBIDDEN_403,
87 message: 'Cannot use non unicast IP as targetUrl.'
88 })
89 }
90 } 86 }
91 } 87 }
92 88