github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-06 13:06:56 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Consider 0.0.0.0 a private IP

Browse Source
This commit is contained in:
Robin Ward
2018-07-24 11:15:37 -04:00
parent 9fff53407c
commit 236243f38a
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/final_destination.rb
View File

@ -293,6 +293,7 @@ class FinalDestination
def self.standard_private_ranges def self.standard_private_ranges
@private_ranges ||= [ @private_ranges ||= [
IPAddr.new('0.0.0.0/8'),
IPAddr.new('127.0.0.1'), IPAddr.new('127.0.0.1'),
IPAddr.new('172.16.0.0/12'), IPAddr.new('172.16.0.0/12'),
IPAddr.new('192.168.0.0/16'), IPAddr.new('192.168.0.0/16'),

5
spec/components/final_destination_spec.rb
View File

@ -337,6 +337,11 @@ describe FinalDestination do
expect(fd("https://104.25.153.10").is_dest_valid?).to eq(true) expect(fd("https://104.25.153.10").is_dest_valid?).to eq(true)
end end
it "returns false for short ip" do
expect(FinalDestination.new('https://0/logo.png').is_dest_valid?).to eq(false)
expect(FinalDestination.new('https://1/logo.png').is_dest_valid?).to eq(false)
end
it "returns false for private ipv4" do it "returns false for private ipv4" do
expect(fd("https://127.0.0.1").is_dest_valid?).to eq(false) expect(fd("https://127.0.0.1").is_dest_valid?).to eq(false)
expect(fd("https://192.168.1.3").is_dest_valid?).to eq(false) expect(fd("https://192.168.1.3").is_dest_valid?).to eq(false)