diff options
author | Chocobozzz <me@florianbigard.com> | 2022-02-07 11:21:25 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-02-07 11:21:25 +0100 |
commit | f33e515991a32885622b217bf2ed1d1b0d9d6832 (patch) | |
tree | 43bf9e63c821f2b363ee60e8b1de07ab7c883580 /server/middlewares | |
parent | 4afec7357129590b0e0f3558ecb9ac20e0903600 (diff) | |
download | PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.gz PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.zst PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.zip |
Correctly check import target URL IP
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/videos/video-imports.ts | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts index a3a5cc531..9c6d213c4 100644 --- a/server/middlewares/validators/videos/video-imports.ts +++ b/server/middlewares/validators/videos/video-imports.ts | |||
@@ -1,6 +1,6 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { body, param } from 'express-validator' | 2 | import { body, param } from 'express-validator' |
3 | import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js' | 3 | import { isResolvingToUnicastOnly } from '@server/helpers/dns' |
4 | import { isPreImportVideoAccepted } from '@server/lib/moderation' | 4 | import { isPreImportVideoAccepted } from '@server/lib/moderation' |
5 | import { Hooks } from '@server/lib/plugins/hooks' | 5 | import { Hooks } from '@server/lib/plugins/hooks' |
6 | import { MUserAccountId, MVideoImport } from '@server/types/models' | 6 | import { MUserAccountId, MVideoImport } from '@server/types/models' |
@@ -76,17 +76,13 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([ | |||
76 | if (req.body.targetUrl) { | 76 | if (req.body.targetUrl) { |
77 | const hostname = new URL(req.body.targetUrl).hostname | 77 | const hostname = new URL(req.body.targetUrl).hostname |
78 | 78 | ||
79 | if (isIPValid(hostname)) { | 79 | if (await isResolvingToUnicastOnly(hostname) !== true) { |
80 | const parsed = parseIP(hostname) | 80 | cleanUpReqFiles(req) |
81 | 81 | ||
82 | if (parsed.range() !== 'unicast') { | 82 | return res.fail({ |
83 | cleanUpReqFiles(req) | 83 | status: HttpStatusCode.FORBIDDEN_403, |
84 | 84 | message: 'Cannot use non unicast IP as targetUrl.' | |
85 | return res.fail({ | 85 | }) |
86 | status: HttpStatusCode.FORBIDDEN_403, | ||
87 | message: 'Cannot use non unicast IP as targetUrl.' | ||
88 | }) | ||
89 | } | ||
90 | } | 86 | } |
91 | } | 87 | } |
92 | 88 | ||