mirror of https://github.com/Chocobozzz/PeerTube
Prevent video import on non unicast ips
parent
37a5d6318b
commit
7b54a81ccc
|
@ -13,6 +13,7 @@ import { CONFIG } from '../../../initializers/config'
|
|||
import { CONSTRAINTS_FIELDS } from '../../../initializers/constants'
|
||||
import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared'
|
||||
import { getCommonVideoEditAttributes } from './videos'
|
||||
import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js'
|
||||
|
||||
const videoImportAddValidator = getCommonVideoEditAttributes().concat([
|
||||
body('channelId')
|
||||
|
@ -71,6 +72,23 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([
|
|||
return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' })
|
||||
}
|
||||
|
||||
if (req.body.targetUrl) {
|
||||
const hostname = new URL(req.body.targetUrl).hostname
|
||||
|
||||
if (isIPValid(hostname)) {
|
||||
const parsed = parseIP(hostname)
|
||||
|
||||
if (parsed.range() !== 'unicast') {
|
||||
cleanUpReqFiles(req)
|
||||
|
||||
return res.fail({
|
||||
status: HttpStatusCode.FORBIDDEN_403,
|
||||
message: 'Cannot use non unicast IP as targetUrl.'
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req)
|
||||
|
||||
return next()
|
||||
|
|
|
@ -108,6 +108,34 @@ describe('Test video imports API validator', function () {
|
|||
await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
|
||||
})
|
||||
|
||||
it('Should fail with localhost', async function () {
|
||||
const fields = { ...baseCorrectParams, targetUrl: 'http://localhost:8000' }
|
||||
|
||||
await makePostBodyRequest({ url: server.url, path, token: server.accessToken, fields })
|
||||
})
|
||||
|
||||
it('Should fail with a private IP target urls', async function () {
|
||||
const targetUrls = [
|
||||
'http://127.0.0.1:8000',
|
||||
'http://127.0.0.1',
|
||||
'http://127.0.0.1/hello',
|
||||
'https://192.168.1.42',
|
||||
'http://192.168.1.42'
|
||||
]
|
||||
|
||||
for (const targetUrl of targetUrls) {
|
||||
const fields = { ...baseCorrectParams, targetUrl }
|
||||
|
||||
await makePostBodyRequest({
|
||||
url: server.url,
|
||||
path,
|
||||
token: server.accessToken,
|
||||
fields,
|
||||
expectedStatus: HttpStatusCode.FORBIDDEN_403
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
it('Should fail with a long name', async function () {
|
||||
const fields = { ...baseCorrectParams, name: 'super'.repeat(65) }
|
||||
|
||||
|
|
Loading…
Reference in New Issue