alice.mosphere.at / indigo
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

slurper: add SSRF check, and refuse slurping relays

bryan newbold 90aff60a dd323e39

+19 -2
+19 -2
cmd/relay/relay/slurper.go
··· 6 6 "log/slog" 7 7 "math/rand" 8 8 "net/http" 9 + "strings" 9 10 "sync" 10 11 "sync/atomic" 11 12 "time" ··· 14 15 "github.com/bluesky-social/indigo/cmd/relay/relay/models" 15 16 "github.com/bluesky-social/indigo/cmd/relay/stream" 16 17 "github.com/bluesky-social/indigo/cmd/relay/stream/schedulers/parallel" 18 + "github.com/bluesky-social/indigo/util/ssrf" 17 19 18 20 "github.com/RussellLuo/slidingwindow" 19 21 "github.com/gorilla/websocket" ··· 286 288 HandshakeTimeout: time.Second * 5, 287 289 } 288 290 291 + // if this isn't a localhost / private connection, then we should enable SSRF protections 292 + if !host.NoSSL { 293 + netDialer := ssrf.PublicOnlyDialer() 294 + d.NetDialContext = netDialer.DialContext 295 + } 296 + 289 297 cursor := host.LastSeq 290 298 291 299 connectedInbound.Inc() ··· 306 314 } 307 315 hdr := make(http.Header) 308 316 hdr.Add("User-Agent", s.Config.UserAgent) 309 - conn, res, err := d.DialContext(ctx, u, hdr) 317 + conn, resp, err := d.DialContext(ctx, u, hdr) 310 318 if err != nil { 311 319 s.logger.Warn("dialing failed", "host", host.Hostname, "err", err, "backoff", backoff) 312 320 time.Sleep(sleepForBackoff(backoff)) ··· 323 331 continue 324 332 } 325 333 326 - s.logger.Debug("event subscription response", "code", res.StatusCode, "url", u) 334 + // check if we connected to a relay (eg, this indigo relay, or rainbow) and drop if so 335 + serverHdr := resp.Header.Get("Server") 336 + if strings.Contains("atproto-relay", serverHdr) { 337 + s.logger.Warn("subscribed host is atproto relay of some kind, banning", "server", serverHdr, "url", u, "hostname", sub.Hostname) 338 + if err := s.Config.PersistHostStatusCallback(ctx, sub.HostID, models.HostStatusBanned); err != nil { 339 + s.logger.Error("failed mark host as banned", "hostname", sub.Hostname, "err", err) 340 + } 341 + } 342 + 343 + s.logger.Debug("event subscription response", "code", resp.StatusCode, "url", u) 327 344 328 345 curCursor := cursor 329 346 if err := s.handleConnection(ctx, conn, &cursor, sub); err != nil {