nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-17 19:18:16 -05:00
Code

Do not request local hosts or ip addresses

Browse Source
This commit is contained in:
Kyle Spearrin 2020-04-30 11:41:30 -04:00
parent 68901437ba
commit 3462613f49
1 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/Icons/Services/IconFetchingService.cs
View File

@ -280,6 +280,23 @@ namespace Bit.Icons.Services
private async Task<HttpResponseMessage> GetAsync(Uri uri) private async Task<HttpResponseMessage> GetAsync(Uri uri)
{ {
if (uri == null)
{
return null;
}
// Prevent non-http(s) and non-default ports
if ((uri.Scheme != "http" && uri.Scheme != "https") || !uri.IsDefaultPort)
{
return null;
}
// Prevent local hosts (localhost, bobs-pc, etc), IPv4, and IPv6 (which contain ":" in the host)
if (!uri.Host.Contains(".") || _ipRegex.IsMatch(uri.Host) || uri.Host.Contains(":"))
{
return null;
}
using (var message = new HttpRequestMessage()) using (var message = new HttpRequestMessage())
{ {
message.RequestUri = uri; message.RequestUri = uri;
@ -348,13 +365,6 @@ namespace Bit.Icons.Services
} }
Cleanup(response); Cleanup(response);
if (location == null || (location.Scheme != "http" && location.Scheme != "https") ||
!location.IsDefaultPort)
{
return null;
}
var newResponse = await GetAsync(location); var newResponse = await GetAsync(location);
if (newResponse != null) if (newResponse != null)
{ {