archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-14 05:11:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

resolve host to IP to check if it's local before connecting

Browse source
This commit is contained in:
Neel Chauhan 2024-10-13 21:20:13 -04:00
parent 8792771cdc
commit c18a1b7e69
2 changed files with 33 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
proxy/lib/proxy-go_test.go
View file

@ -559,6 +559,15 @@ func TestUtilityFuncs(t *testing.T) {
{pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil},
{pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil},
// Local URLs
{pattern: "localhost$", allowNonTLS: false, targetURL: "wss://localhost", expects: fmt.Errorf("")},
{pattern: "test.internal$", allowNonTLS: false, targetURL: "wss://test.internal", expects: fmt.Errorf("")},
{pattern: "test.invalid$", allowNonTLS: false, targetURL: "wss://test.invalid", expects: fmt.Errorf("")},
{pattern: "test.localhost$", allowNonTLS: false, targetURL: "wss://test.localhost", expects: fmt.Errorf("")},
{pattern: "test.local$", allowNonTLS: false, targetURL: "wss://test.local", expects: fmt.Errorf("")},
{pattern: "test.onion$", allowNonTLS: false, targetURL: "wss://test.onion", expects: fmt.Errorf("")},
{pattern: "test.test$", allowNonTLS: false, targetURL: "wss://test.test", expects: fmt.Errorf("")},
// Non-websocket protocols
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},

25
proxy/lib/snowflake.go
View file

@ -172,6 +172,25 @@ func isRemoteAddress(ip net.IP) bool {
return !(util.IsLocal(ip) || ip.IsUnspecified() || ip.IsLoopback())
}
// Checks whether the hostname is local
func isHostnameLocal(hostname string) bool {
// Per https://en.wikipedia.org/wiki/Special-use_domain_name
tlds := []string{
".internal",
".invalid",
".local",
".localhost",
".onion",
".test",
}
for _, tld := range tlds {
if strings.HasSuffix(hostname, tld) {
return true
}
}
return hostname == "localhost"
}
func genSessionID() string {
buf := make([]byte, sessionIDLength)
_, err := rand.Read(buf)
@ -670,7 +689,11 @@ func checkIsRelayURLAcceptable(
return fmt.Errorf("bad Relay URL %w", err)
}
if !allowPrivateIPs {
ip := net.ParseIP(parsedRelayURL.Hostname())
hostname := parsedRelayURL.Hostname()
if isHostnameLocal(hostname) {
return fmt.Errorf("rejected Relay URL: private hostnames are not allowed")
}
ip := net.ParseIP(hostname)
// Otherwise it's a domain name, or an invalid IP.
if ip != nil {
// We should probably use a ready library for this.