github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 07:49:48 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Gracefully handle DNS issued from SSRF lookup when inline oneboxing (#19631)

Browse Source 
There is an issue where chat message processing breaks due to
unhandles `SocketError` exceptions originating in the SSRF check,
specifically in `FinalDestination::Resolver`.

This change gives `FinalDestination::SSRFDetector` a new error class
to wrap the `SocketError` in, and haves the `RetrieveTitle` class
handle that error gracefully.
This commit is contained in:
Ted Johansson
2022-12-28 10:30:20 +08:00
committed by GitHub
parent 462e14e279
commit 06db264f24
4 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/final_destination/ssrf_detector.rb
View File

@ -2,8 +2,8 @@
class FinalDestination
module SSRFDetector
class DisallowedIpError < SocketError
end
class DisallowedIpError < SocketError; end
class LookupFailedError < SocketError; end
def self.standard_private_ranges
@private_ranges ||= [
@ -61,7 +61,12 @@ class FinalDestination
end
def self.lookup_and_filter_ips(name, timeout: nil)
ips = lookup_ips(name, timeout: timeout)
begin
ips = lookup_ips(name, timeout: timeout)
rescue SocketError
raise LookupFailedError, "FinalDestination: lookup failed"
end
return ips if host_bypasses_checks?(name)
ips.filter! { |ip| FinalDestination::SSRFDetector.ip_allowed?(ip) }