From 3462613f49c4c22ad9f769ceb85d624c6094d184 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Thu, 30 Apr 2020 11:41:30 -0400
Subject: [PATCH] Do not request local hosts or ip addresses

---
 src/Icons/Services/IconFetchingService.cs | 24 ++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/Icons/Services/IconFetchingService.cs b/src/Icons/Services/IconFetchingService.cs
index 480216893e..6f5af10b1d 100644
--- a/src/Icons/Services/IconFetchingService.cs
+++ b/src/Icons/Services/IconFetchingService.cs
@@ -280,6 +280,23 @@ namespace Bit.Icons.Services
 
         private async Task<HttpResponseMessage> GetAsync(Uri uri)
         {
+            if (uri == null)
+            {
+                return null;
+            }
+
+            // Prevent non-http(s) and non-default ports
+            if ((uri.Scheme != "http" && uri.Scheme != "https") || !uri.IsDefaultPort)
+            {
+                return null;
+            }
+
+            // Prevent local hosts (localhost, bobs-pc, etc), IPv4, and IPv6 (which contain ":" in the host)
+            if (!uri.Host.Contains(".") || _ipRegex.IsMatch(uri.Host) || uri.Host.Contains(":"))
+            {
+                return null;
+            }
+
             using (var message = new HttpRequestMessage())
             {
                 message.RequestUri = uri;
@@ -348,13 +365,6 @@ namespace Bit.Icons.Services
             }
 
             Cleanup(response);
-
-            if (location == null || (location.Scheme != "http" && location.Scheme != "https") ||
-                !location.IsDefaultPort)
-            {
-                return null;
-            }
-
             var newResponse = await GetAsync(location);
             if (newResponse != null)
             {