SECURITY: Add FinalDestination::FastImage that's SSRF safe

2025-05-22 03:51:07 +08:00 · 2023-02-16 12:02:03 +08:00
parent 6dcb099547
commit 39c2f63b35
4 changed files with 95 additions and 2 deletions
--- a/lib/final_destination/fast_image.rb
+++ b/lib/final_destination/fast_image.rb
@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class FinalDestination::FastImage < ::FastImage
+  def initialize(url, options = {})
+    uri = URI(normalized_url(url))
+    options.merge!(http_header: { "Host" => uri.hostname })
+    uri.hostname = resolved_ip(uri)
+
+    super(uri.to_s, options)
+  rescue FinalDestination::SSRFDetector::DisallowedIpError, SocketError, Timeout::Error
+    super("")
+  end
+
+  private
+
+  def resolved_ip(uri)
+    FinalDestination::SSRFDetector.lookup_and_filter_ips(uri.hostname).first
+  end
+
+  def normalized_url(uri)
+    UrlHelper.normalized_encode(uri)
+  end
+end