From 8a46fcd30109ba4241b851b39f9d99bfc9b7168f Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Tue, 7 Jul 2020 19:47:12 -0400
Subject: [PATCH] Resolve host to check for private IP address (#812)

---
 src/Icons/Services/IconFetchingService.cs | 28 +++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/Icons/Services/IconFetchingService.cs b/src/Icons/Services/IconFetchingService.cs
index da30e76865..f7e789fd16 100644
--- a/src/Icons/Services/IconFetchingService.cs
+++ b/src/Icons/Services/IconFetchingService.cs
@@ -291,6 +291,13 @@ namespace Bit.Icons.Services
                 return null;
             }
 
+            // Resolve host to make sure it is not an internal/private IP address
+            var hostEntry = Dns.GetHostEntry(uri.Host);
+            if (hostEntry?.AddressList.Any(ip => IsInternal(ip)) ?? true)
+            {
+                return null;
+            }
+
             using (var message = new HttpRequestMessage())
             {
                 message.RequestUri = uri;
@@ -405,5 +412,26 @@ namespace Bit.Icons.Services
         {
             return uri != null && uri.Scheme == "http" ? "http" : "https";
         }
+
+        public static bool IsInternal(IPAddress ip)
+        {
+            if (IPAddress.IsLoopback(ip))
+            {
+                return true;
+            }
+            else if (ip.ToString() == "::1")
+            {
+                return false;
+            }
+
+            var bytes = ip.GetAddressBytes();
+            return (bytes[0]) switch
+            {
+                10 => true,
+                172 => bytes[1] < 32 && bytes[1] >= 16,
+                192 => bytes[1] == 168,
+                _ => false,
+            };
+        }
     }
 }