From 085b50be8b4f1d7da17f340edb7c167756452d31 Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Wed, 30 Aug 2023 02:04:52 -0400
Subject: [PATCH 1/2] Check if host is public domain before requesting

---
 app/controllers/api/avatars.php            | 23 +++++++++++++-----
 tests/e2e/Services/Avatars/AvatarsBase.php | 28 +++++++---------------
 2 files changed, 25 insertions(+), 26 deletions(-)

diff --git a/app/controllers/api/avatars.php b/app/controllers/api/avatars.php
index 0be2e0d849..b92943acbb 100644
--- a/app/controllers/api/avatars.php
+++ b/app/controllers/api/avatars.php
@@ -1,11 +1,8 @@
 <?php
 
 use Appwrite\Extend\Exception;
-use Utopia\Validator\URL;
 use Appwrite\URL\URL as URLParse;
 use Appwrite\Utopia\Response;
-use chillerlan\QRCode\QRCode;
-use chillerlan\QRCode\QROptions;
 use Utopia\App;
 use Utopia\CLI\Console;
 use Utopia\Config\Config;
@@ -14,6 +11,7 @@ use Utopia\Database\DateTime;
 use Utopia\Database\Document;
 use Utopia\Database\Validator\Authorization;
 use Utopia\Database\Validator\UID;
+use Utopia\Domains\Domain;
 use Utopia\Image\Image;
 use Utopia\Logger\Log;
 use Utopia\Logger\Logger;
@@ -21,7 +19,10 @@ use Utopia\Validator\Boolean;
 use Utopia\Validator\HexColor;
 use Utopia\Validator\Range;
 use Utopia\Validator\Text;
+use Utopia\Validator\URL;
 use Utopia\Validator\WhiteList;
+use chillerlan\QRCode\QRCode;
+use chillerlan\QRCode\QROptions;
 
 $avatarCallback = function (string $type, string $code, int $width, int $height, int $quality, Response $response) {
 
@@ -276,7 +277,13 @@ App::get('/v1/avatars/image')
             throw new Exception(Exception::GENERAL_SERVER_ERROR, 'Imagick extension is missing');
         }
 
-        $fetch = @\file_get_contents($url, false);
+        $domain = new Domain(\parse_url($url, PHP_URL_HOST));
+
+        if (!$domain->isKnown()) {
+            throw new Exception(Exception::AVATAR_REMOTE_URL_FAILED);
+        }
+
+        $fetch = @\file_get_contents($url);
 
         if (!$fetch) {
             throw new Exception(Exception::AVATAR_IMAGE_NOT_FOUND);
@@ -326,6 +333,12 @@ App::get('/v1/avatars/favicon')
             throw new Exception(Exception::GENERAL_SERVER_ERROR, 'Imagick extension is missing');
         }
 
+        $domain = new Domain(\parse_url($url, PHP_URL_HOST));
+
+        if (!$domain->isKnown()) {
+            throw new Exception(Exception::AVATAR_REMOTE_URL_FAILED);
+        }
+
         $curl = \curl_init();
 
         \curl_setopt_array($curl, [
@@ -545,8 +558,6 @@ App::get('/v1/avatars/initials')
         $image->setImageFormat("png");
         $image->compositeImage($punch, Imagick::COMPOSITE_COPYOPACITY, 0, 0);
 
-        //$image->setImageCompressionQuality(9 - round(($quality / 100) * 9));
-
         $response
             ->addHeader('Expires', \date('D, d M Y H:i:s', \time() + (60 * 60 * 24 * 45)) . ' GMT') // 45 days cache
             ->setContentType('image/png')
diff --git a/tests/e2e/Services/Avatars/AvatarsBase.php b/tests/e2e/Services/Avatars/AvatarsBase.php
index e2ddc1a863..1652e01514 100644
--- a/tests/e2e/Services/Avatars/AvatarsBase.php
+++ b/tests/e2e/Services/Avatars/AvatarsBase.php
@@ -287,26 +287,6 @@ trait AvatarsBase
         $this->assertEquals('image/png', $response['headers']['content-type']);
         $this->assertNotEmpty($response['body']);
 
-        // $response = $this->client->call(Client::METHOD_GET, '/avatars/favicon', [
-        //     'x-appwrite-project' => $this->getProject()['$id'],
-        // ], [
-        //     'url' => 'https://www.bbc.com/',
-        // ]);
-
-        // $this->assertEquals(200, $response['headers']['status-code']);
-        // $this->assertEquals('image/png', $response['headers']['content-type']);
-        // $this->assertNotEmpty($response['body']);
-
-        // $response = $this->client->call(Client::METHOD_GET, '/avatars/favicon', [
-        //     'x-appwrite-project' => $this->getProject()['$id'],
-        // ], [
-        //     'url' => 'https://edition.cnn.com/',
-        // ]);
-
-        // $this->assertEquals(200, $response['headers']['status-code']);
-        // $this->assertEquals('image/x-icon', $response['headers']['content-type']);
-        // $this->assertNotEmpty($response['body']);
-
         /**
          * Test for FAILURE
          */
@@ -326,6 +306,14 @@ trait AvatarsBase
 
         $this->assertEquals(404, $response['headers']['status-code']);
 
+        $response = $this->client->call(Client::METHOD_GET, '/avatars/favicon', [
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], [
+            'url' => 'http://localhost',
+        ]);
+
+        $this->assertEquals(404, $response['headers']['status-code']);
+
         return [];
     }
 

From ff16fd7d9c5cd34fb80f6e6be807148d708e6650 Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Wed, 30 Aug 2023 02:14:19 -0400
Subject: [PATCH 2/2] Check link after fetching page as well

---
 app/controllers/api/avatars.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/controllers/api/avatars.php b/app/controllers/api/avatars.php
index b92943acbb..3b93348643 100644
--- a/app/controllers/api/avatars.php
+++ b/app/controllers/api/avatars.php
@@ -412,6 +412,12 @@ App::get('/v1/avatars/favicon')
             $outputExt = 'ico';
         }
 
+        $domain = new Domain(\parse_url($outputHref, PHP_URL_HOST));
+
+        if (!$domain->isKnown()) {
+            throw new Exception(Exception::AVATAR_REMOTE_URL_FAILED);
+        }
+
         if ('ico' == $outputExt) { // Skip crop, Imagick isn\'t supporting icon files
             $data = @\file_get_contents($outputHref, false);