Merge pull request #6060 from appwrite/fix-internal-ssrf
Check if host is public domain before requesting
This commit is contained in:
Eldad A. Fux
GitHub
commit
8cddfab235
|
|
@ -1,11 +1,8 @@
|
|||
<?php
|
||||
|
||||
use Appwrite\Extend\Exception;
|
||||
use Utopia\Validator\URL;
|
||||
use Appwrite\URL\URL as URLParse;
|
||||
use Appwrite\Utopia\Response;
|
||||
use chillerlan\QRCode\QRCode;
|
||||
use chillerlan\QRCode\QROptions;
|
||||
use Utopia\App;
|
||||
use Utopia\CLI\Console;
|
||||
use Utopia\Config\Config;
|
||||
|
|
@ -14,6 +11,7 @@ use Utopia\Database\DateTime;
|
|||
use Utopia\Database\Document;
|
||||
use Utopia\Database\Validator\Authorization;
|
||||
use Utopia\Database\Validator\UID;
|
||||
use Utopia\Domains\Domain;
|
||||
use Utopia\Image\Image;
|
||||
use Utopia\Logger\Log;
|
||||
use Utopia\Logger\Logger;
|
||||
|
|
@ -21,7 +19,10 @@ use Utopia\Validator\Boolean;
|
|||
use Utopia\Validator\HexColor;
|
||||
use Utopia\Validator\Range;
|
||||
use Utopia\Validator\Text;
|
||||
use Utopia\Validator\URL;
|
||||
use Utopia\Validator\WhiteList;
|
||||
use chillerlan\QRCode\QRCode;
|
||||
use chillerlan\QRCode\QROptions;
|
||||
|
||||
$avatarCallback = function (string $type, string $code, int $width, int $height, int $quality, Response $response) {
|
||||
|
||||
|
|
@ -276,7 +277,13 @@ App::get('/v1/avatars/image')
|
|||
throw new Exception(Exception::GENERAL_SERVER_ERROR, 'Imagick extension is missing');
|
||||
}
|
||||
|
||||
$fetch = @\file_get_contents($url, false);
|
||||
$domain = new Domain(\parse_url($url, PHP_URL_HOST));
|
||||
|
||||
if (!$domain->isKnown()) {
|
||||
throw new Exception(Exception::AVATAR_REMOTE_URL_FAILED);
|
||||
}
|
||||
|
||||
$fetch = @\file_get_contents($url);
|
||||
|
||||
if (!$fetch) {
|
||||
throw new Exception(Exception::AVATAR_IMAGE_NOT_FOUND);
|
||||
|
|
@ -326,6 +333,12 @@ App::get('/v1/avatars/favicon')
|
|||
throw new Exception(Exception::GENERAL_SERVER_ERROR, 'Imagick extension is missing');
|
||||
}
|
||||
|
||||
$domain = new Domain(\parse_url($url, PHP_URL_HOST));
|
||||
|
||||
if (!$domain->isKnown()) {
|
||||
throw new Exception(Exception::AVATAR_REMOTE_URL_FAILED);
|
||||
}
|
||||
|
||||
$curl = \curl_init();
|
||||
|
||||
\curl_setopt_array($curl, [
|
||||
|
|
@ -399,6 +412,12 @@ App::get('/v1/avatars/favicon')
|
|||
$outputExt = 'ico';
|
||||
}
|
||||
|
||||
$domain = new Domain(\parse_url($outputHref, PHP_URL_HOST));
|
||||
|
||||
if (!$domain->isKnown()) {
|
||||
throw new Exception(Exception::AVATAR_REMOTE_URL_FAILED);
|
||||
}
|
||||
|
||||
if ('ico' == $outputExt) { // Skip crop, Imagick isn\'t supporting icon files
|
||||
$data = @\file_get_contents($outputHref, false);
|
||||
|
||||
|
|
@ -545,8 +564,6 @@ App::get('/v1/avatars/initials')
|
|||
$image->setImageFormat("png");
|
||||
$image->compositeImage($punch, Imagick::COMPOSITE_COPYOPACITY, 0, 0);
|
||||
|
||||
//$image->setImageCompressionQuality(9 - round(($quality / 100) * 9));
|
||||
|
||||
$response
|
||||
->addHeader('Expires', \date('D, d M Y H:i:s', \time() + (60 * 60 * 24 * 45)) . ' GMT') // 45 days cache
|
||||
->setContentType('image/png')
|
||||
|
|
|
|||
|
|
@ -287,26 +287,6 @@ trait AvatarsBase
|
|||
$this->assertEquals('image/png', $response['headers']['content-type']);
|
||||
$this->assertNotEmpty($response['body']);
|
||||
|
||||
// $response = $this->client->call(Client::METHOD_GET, '/avatars/favicon', [
|
||||
// 'x-appwrite-project' => $this->getProject()['$id'],
|
||||
// ], [
|
||||
// 'url' => 'https://www.bbc.com/',
|
||||
// ]);
|
||||
|
||||
// $this->assertEquals(200, $response['headers']['status-code']);
|
||||
// $this->assertEquals('image/png', $response['headers']['content-type']);
|
||||
// $this->assertNotEmpty($response['body']);
|
||||
|
||||
// $response = $this->client->call(Client::METHOD_GET, '/avatars/favicon', [
|
||||
// 'x-appwrite-project' => $this->getProject()['$id'],
|
||||
// ], [
|
||||
// 'url' => 'https://edition.cnn.com/',
|
||||
// ]);
|
||||
|
||||
// $this->assertEquals(200, $response['headers']['status-code']);
|
||||
// $this->assertEquals('image/x-icon', $response['headers']['content-type']);
|
||||
// $this->assertNotEmpty($response['body']);
|
||||
|
||||
/**
|
||||
* Test for FAILURE
|
||||
*/
|
||||
|
|
@ -326,6 +306,14 @@ trait AvatarsBase
|
|||
|
||||
$this->assertEquals(404, $response['headers']['status-code']);
|
||||
|
||||
$response = $this->client->call(Client::METHOD_GET, '/avatars/favicon', [
|
||||
'x-appwrite-project' => $this->getProject()['$id'],
|
||||
], [
|
||||
'url' => 'http://localhost',
|
||||
]);
|
||||
|
||||
$this->assertEquals(404, $response['headers']['status-code']);
|
||||
|
||||
return [];
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue