Merge branch 'validate-host' into 'develop'

Validate Host header for MediaProxy and Uploads See merge request pleroma/pleroma!3896
2023-05-31 00:50:01 +00:00 · 2023-05-31 00:50:01 +00:00 · d998a114e2
commit d998a114e2
parent da6b4003ac b3c3bd99c3
6 changed files with 116 additions and 2 deletions
--- a/lib/pleroma/web/media_proxy/media_proxy_controller.ex
+++ b/lib/pleroma/web/media_proxy/media_proxy_controller.ex
@ -12,6 +12,7 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
  alias Pleroma.Web.MediaProxy
  alias Plug.Conn

+  plug(:validate_host)
  plug(:sandbox)

  def remote(conn, %{"sig" => sig64, "url" => url64}) do
@ -205,6 +206,30 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
    Config.get([:media_proxy, :proxy_opts], [])
  end

+  defp validate_host(conn, _params) do
+    %{scheme: proxy_scheme, host: proxy_host, port: proxy_port} =
+      MediaProxy.base_url() |> URI.parse()
+
+    if match?(^proxy_host, conn.host) do
+      conn
+    else
+      redirect_url =
+        %URI{
+          scheme: proxy_scheme,
+          host: proxy_host,
+          port: proxy_port,
+          path: conn.request_path,
+          query: conn.query_string
+        }
+        |> URI.to_string()
+        |> String.trim_trailing("?")
+
+      conn
+      |> Phoenix.Controller.redirect(external: redirect_url)
+      |> halt()
+    end
+  end
+
  defp sandbox(conn, _params) do
    conn
    |> merge_resp_headers([{"content-security-policy", "sandbox;"}])
--- a/lib/pleroma/web/plugs/uploaded_media.ex
+++ b/lib/pleroma/web/plugs/uploaded_media.ex
@ -46,12 +46,32 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do

    config = Pleroma.Config.get(Pleroma.Upload)

-    with uploader <- Keyword.fetch!(config, :uploader),
+    %{scheme: media_scheme, host: media_host, port: media_port} =
+      Pleroma.Upload.base_url() |> URI.parse()
+
+    with {:valid_host, true} <- {:valid_host, match?(^media_host, conn.host)},
+         uploader <- Keyword.fetch!(config, :uploader),
         proxy_remote = Keyword.get(config, :proxy_remote, false),
         {:ok, get_method} <- uploader.get_file(file),
         false <- media_is_banned(conn, get_method) do
      get_media(conn, get_method, proxy_remote, opts)
    else
+      {:valid_host, false} ->
+        redirect_url =
+          %URI{
+            scheme: media_scheme,
+            host: media_host,
+            port: media_port,
+            path: conn.request_path,
+            query: conn.query_string
+          }
+          |> URI.to_string()
+          |> String.trim_trailing("?")
+
+        conn
+        |> Phoenix.Controller.redirect(external: redirect_url)
+        |> halt()
+
      _ ->
        conn
        |> send_resp(:internal_server_error, dgettext("errors", "Failed"))