did some anti ssrf stuff

2021-07-06 14:55:56 +02:00 · 2021-07-06 14:55:56 +02:00 · 2ae1b60cae
parent c7f5d7f0c2
commit 2ae1b60cae
2 changed files with 9 additions and 4 deletions
--- a/src/Helpers.hs
+++ b/src/Helpers.hs
@ -4,7 +4,7 @@ module Helpers where

 import YTDL
 import qualified Data.Text.Lazy as TL
-import Network.URI (parseURI)
+import Network.URI

 getRes :: TL.Text -> Maybe Resolution
 getRes ("144p")  = Just P144
@ -22,7 +22,13 @@ isRes res = case getRes res of
              (Just _) -> True
              _        -> False

+-- ssrf paranoia
+isOkPath :: String -> Bool
+isOkPath p = not $ isIPv4address p || isIPv6address p || p == "localhost"
+
 isURL :: TL.Text -> Bool
 isURL uri = case parseURI (TL.unpack uri) of
-              (Just _) -> True
-              _        -> False
+              (Just u) -> case uriAuthority u of
+                  (Just (URIAuth _ p _)) -> isOkPath p
+                  _                        -> False
+              _          -> False
--- a/src/Main.hs
+++ b/src/Main.hs
@ -27,7 +27,6 @@ downloadAction = do
            setHeader "content-type" "video/mp4"
            file filePath
          (Left err) -> html $ errorPage (TL.pack err)
-        -- liftIO $ ytdlClean ident
      else
        html $ errorPage "Invalid input!"