From f33e515991a32885622b217bf2ed1d1b0d9d6832 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Mon, 7 Feb 2022 11:21:25 +0100 Subject: Correctly check import target URL IP --- server/middlewares/validators/videos/video-imports.ts | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'server/middlewares/validators/videos') diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts index a3a5cc531..9c6d213c4 100644 --- a/server/middlewares/validators/videos/video-imports.ts +++ b/server/middlewares/validators/videos/video-imports.ts @@ -1,6 +1,6 @@ import express from 'express' import { body, param } from 'express-validator' -import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js' +import { isResolvingToUnicastOnly } from '@server/helpers/dns' import { isPreImportVideoAccepted } from '@server/lib/moderation' import { Hooks } from '@server/lib/plugins/hooks' import { MUserAccountId, MVideoImport } from '@server/types/models' @@ -76,17 +76,13 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([ if (req.body.targetUrl) { const hostname = new URL(req.body.targetUrl).hostname - if (isIPValid(hostname)) { - const parsed = parseIP(hostname) + if (await isResolvingToUnicastOnly(hostname) !== true) { + cleanUpReqFiles(req) - if (parsed.range() !== 'unicast') { - cleanUpReqFiles(req) - - return res.fail({ - status: HttpStatusCode.FORBIDDEN_403, - message: 'Cannot use non unicast IP as targetUrl.' - }) - } + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot use non unicast IP as targetUrl.' + }) } } -- cgit v1.2.3