mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-27 03:36:51 +03:00
746f3fa4e6
* [bugfix] Ensure requests happen over TCP It's possible for the network to be udp4 or udp6. This is rather unlikely to occur, but since we're given the network anyway as part of the Sanitize function getting called we might as well check for it. * [chore] Align reserved v6 blocks to IANA registry * [chore] Add test for ValidateIP The net and netip packages diverge in that net.ParseIP will consider an IPv4-mapped address to be an IPv4 address and as such it would get caught by the IPv4Reserved list. However, netip considers it an IPv6 address, so we need to ensure the mapped range is in IPv6Reserved. * [chore] Align reserved v4 blocks to IANA registry This includes a number of tests for /32's explicitly called out in the registry to ensure we always consider those invalid.
68 lines
1.6 KiB
Go
68 lines
1.6 KiB
Go
/*
|
|
GoToSocial
|
|
Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package httpclient
|
|
|
|
import (
|
|
"net/netip"
|
|
"syscall"
|
|
|
|
"github.com/superseriousbusiness/gotosocial/internal/netutil"
|
|
)
|
|
|
|
type sanitizer struct {
|
|
allow []netip.Prefix
|
|
block []netip.Prefix
|
|
}
|
|
|
|
// Sanitize implements the required net.Dialer.Control function signature.
|
|
func (s *sanitizer) Sanitize(ntwrk, addr string, _ syscall.RawConn) error {
|
|
// Parse IP+port from addr
|
|
ipport, err := netip.ParseAddrPort(addr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !(ntwrk == "tcp4" || ntwrk == "tcp6") {
|
|
return ErrInvalidNetwork
|
|
}
|
|
|
|
// Seperate the IP
|
|
ip := ipport.Addr()
|
|
|
|
// Check if this is explicitly allowed
|
|
for i := 0; i < len(s.allow); i++ {
|
|
if s.allow[i].Contains(ip) {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// Now check if explicity blocked
|
|
for i := 0; i < len(s.block); i++ {
|
|
if s.block[i].Contains(ip) {
|
|
return ErrReservedAddr
|
|
}
|
|
}
|
|
|
|
// Validate this is a safe IP
|
|
if !netutil.ValidateIP(ip) {
|
|
return ErrReservedAddr
|
|
}
|
|
|
|
return nil
|
|
}
|