fix: add additional validation before making remote requests (#3398)

2023-10-28 08:15:01 -07:00
parent 5406e3d5da
commit a6dbc37a84
5 changed files with 94 additions and 1 deletions
--- a/activitypub/webfinger/webfinger.go
+++ b/activitypub/webfinger/webfinger.go
@@ -2,10 +2,13 @@ package webfinger

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
+
+	"github.com/owncast/owncast/utils"
 )

 // GetWebfingerLinks will return webfinger data for an account.
@@ -18,6 +21,11 @@ func GetWebfingerLinks(account string) ([]map[string]interface{}, error) {
 	accountComponents := strings.Split(account, "@")
 	fediverseServer := accountComponents[1]

+	// Reject any requests to our internal network or loopback.
+	if utils.IsHostnameInternal(fediverseServer) {
+		return nil, errors.New("unable to use provided host as a valid fediverse server")
+	}
+
 	// HTTPS is required.
 	requestURL, err := url.Parse("https://" + fediverseServer)
 	if err != nil {