Correctly check import target URL IP

author: Chocobozzz <me@florianbigard.com> 2022-02-07 11:21:25 +0100
committer: Chocobozzz <me@florianbigard.com> 2022-02-07 11:21:25 +0100
commit: f33e515991a32885622b217bf2ed1d1b0d9d6832 (patch)
tree: 43bf9e63c821f2b363ee60e8b1de07ab7c883580 /server/middlewares
parent: 4afec7357129590b0e0f3558ecb9ac20e0903600 (diff)
download: PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.gz
PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.zst
PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.zip
1 files changed, 7 insertions, 11 deletions
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index a3a5cc531..9c6d213c4 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -1,6 +1,6 @@
 import express from 'express'
 import { body, param } from 'express-validator'
-import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'
+import { isResolvingToUnicastOnly } from '@server/helpers/dns'
 import { isPreImportVideoAccepted } from '@server/lib/moderation'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { MUserAccountId, MVideoImport } from '@server/types/models'
@@ -76,17 +76,13 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
    if (req.body.targetUrl) {
      const hostname = new URL(req.body.targetUrl).hostname
-      if (isIPValid(hostname)) {
+      if (await isResolvingToUnicastOnly(hostname) !== true) {
-        const parsed = parseIP(hostname)
+        cleanUpReqFiles(req)
-        if (parsed.range() !== 'unicast') {
+        return res.fail({
-          cleanUpReqFiles(req)
+          status: HttpStatusCode.FORBIDDEN_403,
+          message: 'Cannot use non unicast IP as targetUrl.'
-          return res.fail({
+        })
-            status: HttpStatusCode.FORBIDDEN_403,
-            message: 'Cannot use non unicast IP as targetUrl.'
-          })
-        }
      }
    }
author	Chocobozzz <me@florianbigard.com>	2022-02-07 11:21:25 +0100
committer	Chocobozzz <me@florianbigard.com>	2022-02-07 11:21:25 +0100
commit	f33e515991a32885622b217bf2ed1d1b0d9d6832 (patch)
tree	43bf9e63c821f2b363ee60e8b1de07ab7c883580 /server/middlewares
parent	4afec7357129590b0e0f3558ecb9ac20e0903600 (diff)
download	PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.gz PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.tar.zst PeerTube-f33e515991a32885622b217bf2ed1d1b0d9d6832.zip

diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts index a3a5cc531..9c6d213c4 100644 --- a/server/middlewares/validators/videos/video-imports.ts +++ b/server/middlewares/validators/videos/video-imports.ts
@@ -1,6 +1,6 @@
1	import express from 'express'	1	import express from 'express'
2	import { body, param } from 'express-validator'	2	import { body, param } from 'express-validator'
3	import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'	3	import { isResolvingToUnicastOnly } from '@server/helpers/dns'
4	import { isPreImportVideoAccepted } from '@server/lib/moderation'	4	import { isPreImportVideoAccepted } from '@server/lib/moderation'
5	import { Hooks } from '@server/lib/plugins/hooks'	5	import { Hooks } from '@server/lib/plugins/hooks'
6	import { MUserAccountId, MVideoImport } from '@server/types/models'	6	import { MUserAccountId, MVideoImport } from '@server/types/models'
@@ -76,17 +76,13 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
76	if (req.body.targetUrl) {	76	if (req.body.targetUrl) {
77	const hostname = new URL(req.body.targetUrl).hostname	77	const hostname = new URL(req.body.targetUrl).hostname
78		78
79	if (isIPValid(hostname)) {	79	if (await isResolvingToUnicastOnly(hostname) !== true) {
80	const parsed = parseIP(hostname)	80	cleanUpReqFiles(req)
81		81
82	if (parsed.range() !== 'unicast') {	82	return res.fail({
83	cleanUpReqFiles(req)	83	status: HttpStatusCode.FORBIDDEN_403,
84		84	message: 'Cannot use non unicast IP as targetUrl.'
85	return res.fail({	85	})
86	status: HttpStatusCode.FORBIDDEN_403,
87	message: 'Cannot use non unicast IP as targetUrl.'
88	})
89	}
90	}	86	}
91	}	87	}
92		88