hardening(proxy): only accept ws & wss relays

2025-10-13 20:11:19 -04:00 · 2024-08-30 16:36:32 +04:00 · 2024-08-30 16:36:32 +04:00 · 0f2bdffba0
commit 0f2bdffba0
parent 14f4c82ff7
2 changed files with 10 additions and 6 deletions
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@ -651,6 +651,11 @@ func checkIsRelayURLAcceptable(
 	if err != nil {
 		return fmt.Errorf("bad Relay URL %w", err)
 	}
+	// FYI our websocket library also rejects other protocols
+	// https://github.com/gorilla/websocket/blob/5e002381133d322c5f1305d171f3bdd07decf229/client.go#L174-L181
+	if parsedRelayURL.Scheme != "wss" && parsedRelayURL.Scheme != "ws" {
+		return fmt.Errorf("rejected Relay URL protocol")
+	}
 	matcher := namematcher.NewNameMatcher(allowedHostNamePattern)
 	if !matcher.IsMember(parsedRelayURL.Hostname()) || (!allowNonTLSRelay && parsedRelayURL.Scheme != "wss") {
 		return fmt.Errorf("rejected Relay URL")