From 0db6c3b2aa1787a7054ffdaba975474f122c20eb Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Fri, 19 Jan 2024 10:49:40 -0800
Subject: [PATCH] Prevent private octets from link collection for self-hosted
 (#626)

---
 collector/utils/url/index.js | 14 ++++++++++++++
 server/endpoints/system.js   |  5 +----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/collector/utils/url/index.js b/collector/utils/url/index.js
index 419c02c25..e8cd4a766 100644
--- a/collector/utils/url/index.js
+++ b/collector/utils/url/index.js
@@ -1,9 +1,23 @@
 const VALID_PROTOCOLS = ["https:", "http:"];
+const INVALID_OCTETS = [192, 172, 10, 127];
+
+function isInvalidIp({ hostname }) {
+  const IPRegex = new RegExp(
+    /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/gi
+  );
+  if (!IPRegex.test(hostname)) return false;
+  const [octetOne, ..._rest] = hostname.split(".");
+
+  // If fails to validate to number - abort and return as invalid.
+  if (isNaN(Number(octetOne))) return true;
+  return INVALID_OCTETS.includes(Number(octetOne));
+}
 
 function validURL(url) {
   try {
     const destination = new URL(url);
     if (!VALID_PROTOCOLS.includes(destination.protocol)) return false;
+    if (isInvalidIp(destination)) return false;
     return true;
   } catch {}
   return false;
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 29f5ab4f5..3f11bf5e0 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -16,10 +16,7 @@ const {
   multiUserMode,
   queryParams,
 } = require("../utils/http");
-const {
-  setupLogoUploads,
-  setupPfpUploads,
-} = require("../utils/files/multer");
+const { setupLogoUploads, setupPfpUploads } = require("../utils/files/multer");
 const { v4 } = require("uuid");
 const { SystemSettings } = require("../models/systemSettings");
 const { User } = require("../models/user");
-- 
GitLab