archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-13 20:11:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'bug40378' into 'main'

Browse source 
resolve host to IP to check if it's local before connecting

See merge request tpo/anti-censorship/pluggable-transports/snowflake!413
This commit is contained in:
Neel Chauhan 2025-09-20 21:12:54 -04:00
commit b882d9456b
3 changed files with 49 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
proxy/lib/snowflake.go
View file

@ -712,13 +712,27 @@ func checkIsRelayURLAcceptable(
return fmt.Errorf("bad Relay URL %w", err)
}
if !allowPrivateIPs {
ip := net.ParseIP(parsedRelayURL.Hostname())
hostname := parsedRelayURL.Hostname()
if util.IsHostnameLocal(hostname) {
return fmt.Errorf("rejected Relay URL: private hostnames are not allowed")
}
ip := net.ParseIP(hostname)
// Otherwise it's a domain name, or an invalid IP.
if ip != nil {
// We should probably use a ready library for this.
if !isRemoteAddress(ip) {
return fmt.Errorf("rejected Relay URL: private IPs are not allowed")
}
} else {
ipArray, err := net.LookupIP(hostname)
if err != nil {
return fmt.Errorf("Could not look up IP %s", hostname)
}
for _, ip := range ipArray {
if !isRemoteAddress(ip) {
return fmt.Errorf("rejected Relay URL: private IPs are not allowed")
}
}
}
}
if !allowNonTLSRelay && parsedRelayURL.Scheme != "wss" {