Prevent SSRF (#692)

* add log when exception happens under debug mode (#686) * Revert "add log when exception happens under debug mode (#686)" (#689) This reverts commit 7b661e5. * Prevent SSRF * Update OracleHttpsProtocol.cs * remove goto * Remove redundant code * Remove empty line Co-authored-by: Jinghui Liao <jinghui@wayne.edu> Co-authored-by: Owen Zhang <38493437+superboyiii@users.noreply.github.com> Co-authored-by: Erik Zhang <erik@neo.org>
neo-project · Mar 9, 2022 · 5afd15f · 5afd15f
1 parent 8c3a9ab
commit 5afd15f
Showing 1 changed file with 16 additions and 9 deletions.
diff --git a/src/OracleService/Protocols/OracleHttpsProtocol.cs b/src/OracleService/Protocols/OracleHttpsProtocol.cs
@@ -22,7 +22,7 @@ namespace Neo.Plugins
 {
     class OracleHttpsProtocol : IOracleProtocol
     {
-        private readonly HttpClient client = new HttpClient();
+        private readonly HttpClient client = new(new HttpClientHandler() { AllowAutoRedirect = false });
 
         public OracleHttpsProtocol()
         {
@@ -48,17 +48,24 @@ public void Dispose()
         {
             Utility.Log(nameof(OracleHttpsProtocol), LogLevel.Debug, $"Request: {uri.AbsoluteUri}");
 
-            if (!Settings.Default.AllowPrivateHost)
-            {
-                IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host);
-                if (entry.IsInternal())
-                    return (OracleResponseCode.Forbidden, null);
-            }
-
             HttpResponseMessage message;
             try
             {
-                message = await client.GetAsync(uri, HttpCompletionOption.ResponseContentRead, cancellation);
+                do
+                {
+                    if (!Settings.Default.AllowPrivateHost)
+                    {
+                        IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host, cancellation);
+                        if (entry.IsInternal())
+                            return (OracleResponseCode.Forbidden, null);
+                    }
+                    message = await client.GetAsync(uri, HttpCompletionOption.ResponseContentRead, cancellation);
+                    if (message.Headers.Location is not null)
+                    {
+                        uri = message.Headers.Location;
+                        message = null;
+                    }
+                } while (message == null);
             }
             catch
             {