From f40135dbf28093864482f9662c23e478ea192b16 Mon Sep 17 00:00:00 2001 From: Gabe Kangas Date: Mon, 24 Apr 2023 17:46:58 -0700 Subject: [PATCH] fix: disable redirects to guard against possible SSRFs --- activitypub/webfinger/webfinger.go | 9 ++++++++- auth/indieauth/client.go | 8 +++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/activitypub/webfinger/webfinger.go b/activitypub/webfinger/webfinger.go index 4447b9e4a..5cea75c87 100644 --- a/activitypub/webfinger/webfinger.go +++ b/activitypub/webfinger/webfinger.go @@ -29,7 +29,14 @@ func GetWebfingerLinks(account string) ([]map[string]interface{}, error) { query.Add("resource", fmt.Sprintf("acct:%s", account)) requestURL.RawQuery = query.Encode() - response, err := http.DefaultClient.Get(requestURL.String()) + // Do not support redirects. + client := &http.Client{ + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + + response, err := client.Get(requestURL.String()) if err != nil { return nil, err } diff --git a/auth/indieauth/client.go b/auth/indieauth/client.go index 8f0dd1b34..e3d67e748 100644 --- a/auth/indieauth/client.go +++ b/auth/indieauth/client.go @@ -80,7 +80,13 @@ func HandleCallbackCode(code, state string) (*Request, *Response, error) { data.Set("redirect_uri", request.Callback.String()) data.Set("code_verifier", request.CodeVerifier) - client := &http.Client{} + // Do not support redirects. + client := &http.Client{ + CheckRedirect: func(req *http.Request, via []*http.Request) error { + return http.ErrUseLastResponse + }, + } + r, err := http.NewRequest("POST", request.Endpoint.String(), strings.NewReader(data.Encode())) // URL-encoded payload if err != nil { return nil, nil, err