diff --git a/proxy/lib/proxy-go_test.go b/proxy/lib/proxy-go_test.go index 9021387..d1ef7e5 100644 --- a/proxy/lib/proxy-go_test.go +++ b/proxy/lib/proxy-go_test.go @@ -559,6 +559,15 @@ func TestUtilityFuncs(t *testing.T) { {pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil}, {pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil}, + // Local URLs + {pattern: "localhost$", allowNonTLS: false, targetURL: "wss://localhost", expects: fmt.Errorf("")}, + {pattern: "test.internal$", allowNonTLS: false, targetURL: "wss://test.internal", expects: fmt.Errorf("")}, + {pattern: "test.invalid$", allowNonTLS: false, targetURL: "wss://test.invalid", expects: fmt.Errorf("")}, + {pattern: "test.localhost$", allowNonTLS: false, targetURL: "wss://test.localhost", expects: fmt.Errorf("")}, + {pattern: "test.local$", allowNonTLS: false, targetURL: "wss://test.local", expects: fmt.Errorf("")}, + {pattern: "test.onion$", allowNonTLS: false, targetURL: "wss://test.onion", expects: fmt.Errorf("")}, + {pattern: "test.test$", allowNonTLS: false, targetURL: "wss://test.test", expects: fmt.Errorf("")}, + // Non-websocket protocols {pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")}, {pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")}, diff --git a/proxy/lib/snowflake.go b/proxy/lib/snowflake.go index 7897200..d408c89 100644 --- a/proxy/lib/snowflake.go +++ b/proxy/lib/snowflake.go @@ -172,6 +172,25 @@ func isRemoteAddress(ip net.IP) bool { return !(util.IsLocal(ip) || ip.IsUnspecified() || ip.IsLoopback()) } +// Checks whether the hostname is local +func isHostnameLocal(hostname string) bool { + // Per https://en.wikipedia.org/wiki/Special-use_domain_name + tlds := []string{ + ".internal", + ".invalid", + ".local", + ".localhost", + ".onion", + ".test", + } + for _, tld := range tlds { + if strings.HasSuffix(hostname, tld) { + return true + } + } + return hostname == "localhost" +} + func genSessionID() string { buf := make([]byte, sessionIDLength) _, err := rand.Read(buf) @@ -670,7 +689,11 @@ func checkIsRelayURLAcceptable( return fmt.Errorf("bad Relay URL %w", err) } if !allowPrivateIPs { - ip := net.ParseIP(parsedRelayURL.Hostname()) + hostname := parsedRelayURL.Hostname() + if isHostnameLocal(hostname) { + return fmt.Errorf("rejected Relay URL: private hostnames are not allowed") + } + ip := net.ParseIP(hostname) // Otherwise it's a domain name, or an invalid IP. if ip != nil { // We should probably use a ready library for this.