Validate URIs before trying to proxify them

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2021-03-24 11:17:24 +01:00
parent 7b9910f251
commit 98a219c7a9
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773

View file

@ -120,7 +120,8 @@ defmodule Mobilizon.Web.ReverseProxy do
opts opts
end end
with {:ok, code, headers, client} <- request(method, url, req_headers, hackney_opts), with {:is_url, true} <- {:is_url, valid_uri?(url)},
{:ok, code, headers, client} <- request(method, url, req_headers, hackney_opts),
:ok <- header_length_constraint(headers, Keyword.get(opts, :max_body_length)) do :ok <- header_length_constraint(headers, Keyword.get(opts, :max_body_length)) do
response(conn, client, url, code, headers, opts) response(conn, client, url, code, headers, opts)
else else
@ -129,6 +130,13 @@ defmodule Mobilizon.Web.ReverseProxy do
|> head_response(url, code, headers, opts) |> head_response(url, code, headers, opts)
|> halt() |> halt()
{:is_url, false} ->
Logger.warn("Tried to reverse proxy URL #{inspect(url)}")
conn
|> error_or_redirect(url, 500, "Request failed", opts)
|> halt()
{:error, {:invalid_http_response, code}} -> {:error, {:invalid_http_response, code}} ->
Logger.error("#{__MODULE__}: request to #{inspect(url)} failed with HTTP status #{code}") Logger.error("#{__MODULE__}: request to #{inspect(url)} failed with HTTP status #{code}")
@ -397,4 +405,10 @@ defmodule Mobilizon.Web.ReverseProxy do
def filename(url_or_path) do def filename(url_or_path) do
if path = URI.parse(url_or_path).path, do: Path.basename(path) if path = URI.parse(url_or_path).path, do: Path.basename(path)
end end
@spec valid_uri?(String.t()) :: boolean()
defp valid_uri?(url) do
uri = URI.parse(url)
uri.scheme != nil && uri.host =~ "."
end
end end