Do not request local hosts or ip addresses

2025-04-06 13:38:13 -05:00 · 2020-04-30 11:41:30 -04:00 · 2020-04-30 11:41:30 -04:00 · 3462613f49
commit 3462613f49
parent 68901437ba
1 changed files with 17 additions and 7 deletions
--- a/src/Icons/Services/IconFetchingService.cs
+++ b/src/Icons/Services/IconFetchingService.cs
@ -280,6 +280,23 @@ namespace Bit.Icons.Services

        private async Task<HttpResponseMessage> GetAsync(Uri uri)
        {
+            if (uri == null)
+            {
+                return null;
+            }
+
+            // Prevent non-http(s) and non-default ports
+            if ((uri.Scheme != "http" && uri.Scheme != "https") || !uri.IsDefaultPort)
+            {
+                return null;
+            }
+
+            // Prevent local hosts (localhost, bobs-pc, etc), IPv4, and IPv6 (which contain ":" in the host)
+            if (!uri.Host.Contains(".") || _ipRegex.IsMatch(uri.Host) || uri.Host.Contains(":"))
+            {
+                return null;
+            }
+
            using (var message = new HttpRequestMessage())
            {
                message.RequestUri = uri;
@ -348,13 +365,6 @@ namespace Bit.Icons.Services
            }

            Cleanup(response);
-
-            if (location == null || (location.Scheme != "http" && location.Scheme != "https") ||
-                !location.IsDefaultPort)
-            {
-                return null;
-            }
-
            var newResponse = await GetAsync(location);
            if (newResponse != null)
            {