Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomasf
thomasf committed Nov 13, 2022
1 parent 6979431 commit 97e4dda
Showing 1 changed file with 40 additions and 1 deletion.
41 changes: 40 additions & 1 deletion loader/httploader/httploader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,12 @@ import (
"errors"
"fmt"
"io"
"net"
"net/http"
"net/url"
"strconv"
"strings"
"syscall"

"github.com/cshum/imagor"
)
Expand Down Expand Up @@ -44,8 +46,13 @@ type HTTPLoader struct {
}

func New(options ...Option) *HTTPLoader {
transport := http.DefaultTransport.(*http.Transport).Clone()
sd := SafeDialer{}
dialer := &net.Dialer{Control: sd.dialControl}
transport.DialContext = dialer.DialContext

h := &HTTPLoader{
Transport: http.DefaultTransport.(*http.Transport).Clone(),
Transport: transport,
OverrideHeaders: map[string]string{},
DefaultScheme: "https",
Accept: "*/*",
Expand Down Expand Up @@ -179,3 +186,35 @@ func (h *HTTPLoader) checkRedirect(r *http.Request, via []*http.Request) error {
}
return nil
}

type SafeDialer struct {
BlockNetworks []*net.IPNet
BlockLoopback bool
BlockPrivate bool
BlockLinkLocal bool
}

func (s *SafeDialer) dialControl(network string, address string, conn syscall.RawConn) error {
host, _, err := net.SplitHostPort(address)
if err != nil {
return err
}
addr := net.ParseIP(host)

if s.BlockLoopback && addr.IsLoopback() {
return fmt.Errorf("unauthorized request")
}
if s.BlockLinkLocal && (addr.IsLinkLocalUnicast() || addr.IsLinkLocalMulticast()) {
return fmt.Errorf("unauthorized request")
}
if s.BlockPrivate && addr.IsPrivate() {
return fmt.Errorf("unauthorized request")
}

for _, block := range s.BlockNetworks {
if block.Contains(addr) {
return fmt.Errorf("unauthorized request")
}
}
return nil
}

0 comments on commit 97e4dda

Please sign in to comment.