mirror of
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
synced 2025-10-13 20:11:19 -04:00
resolve host to IP to check if it's local before connecting
This commit is contained in:
Neel Chauhan
parent
8792771cdc
commit
c18a1b7e69
2 changed files with 33 additions and 1 deletions
|
|
@ -559,6 +559,15 @@ func TestUtilityFuncs(t *testing.T) {
|
||||||
{pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil},
|
{pattern: "$", allowNonTLS: true, targetURL: "wss://😀", expects: nil},
|
||||||
{pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil},
|
{pattern: "$", allowNonTLS: true, targetURL: "wss://пример.рф", expects: nil},
|
||||||
|
|
||||||
|
// Local URLs
|
||||||
|
{pattern: "localhost$", allowNonTLS: false, targetURL: "wss://localhost", expects: fmt.Errorf("")},
|
||||||
|
{pattern: "test.internal$", allowNonTLS: false, targetURL: "wss://test.internal", expects: fmt.Errorf("")},
|
||||||
|
{pattern: "test.invalid$", allowNonTLS: false, targetURL: "wss://test.invalid", expects: fmt.Errorf("")},
|
||||||
|
{pattern: "test.localhost$", allowNonTLS: false, targetURL: "wss://test.localhost", expects: fmt.Errorf("")},
|
||||||
|
{pattern: "test.local$", allowNonTLS: false, targetURL: "wss://test.local", expects: fmt.Errorf("")},
|
||||||
|
{pattern: "test.onion$", allowNonTLS: false, targetURL: "wss://test.onion", expects: fmt.Errorf("")},
|
||||||
|
{pattern: "test.test$", allowNonTLS: false, targetURL: "wss://test.test", expects: fmt.Errorf("")},
|
||||||
|
|
||||||
// Non-websocket protocols
|
// Non-websocket protocols
|
||||||
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
|
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "https://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||||
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
|
{pattern: "snowflake.torproject.net$", allowNonTLS: false, targetURL: "ftp://snowflake.torproject.net", expects: fmt.Errorf("")},
|
||||||
|
|
|
||||||
|
|
@ -172,6 +172,25 @@ func isRemoteAddress(ip net.IP) bool {
|
||||||
return !(util.IsLocal(ip) || ip.IsUnspecified() || ip.IsLoopback())
|
return !(util.IsLocal(ip) || ip.IsUnspecified() || ip.IsLoopback())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Checks whether the hostname is local
|
||||||
|
func isHostnameLocal(hostname string) bool {
|
||||||
|
// Per https://en.wikipedia.org/wiki/Special-use_domain_name
|
||||||
|
tlds := []string{
|
||||||
|
".internal",
|
||||||
|
".invalid",
|
||||||
|
".local",
|
||||||
|
".localhost",
|
||||||
|
".onion",
|
||||||
|
".test",
|
||||||
|
}
|
||||||
|
for _, tld := range tlds {
|
||||||
|
if strings.HasSuffix(hostname, tld) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return hostname == "localhost"
|
||||||
|
}
|
||||||
|
|
||||||
func genSessionID() string {
|
func genSessionID() string {
|
||||||
buf := make([]byte, sessionIDLength)
|
buf := make([]byte, sessionIDLength)
|
||||||
_, err := rand.Read(buf)
|
_, err := rand.Read(buf)
|
||||||
|
|
@ -670,7 +689,11 @@ func checkIsRelayURLAcceptable(
|
||||||
return fmt.Errorf("bad Relay URL %w", err)
|
return fmt.Errorf("bad Relay URL %w", err)
|
||||||
}
|
}
|
||||||
if !allowPrivateIPs {
|
if !allowPrivateIPs {
|
||||||
ip := net.ParseIP(parsedRelayURL.Hostname())
|
hostname := parsedRelayURL.Hostname()
|
||||||
|
if isHostnameLocal(hostname) {
|
||||||
|
return fmt.Errorf("rejected Relay URL: private hostnames are not allowed")
|
||||||
|
}
|
||||||
|
ip := net.ParseIP(hostname)
|
||||||
// Otherwise it's a domain name, or an invalid IP.
|
// Otherwise it's a domain name, or an invalid IP.
|
||||||
if ip != nil {
|
if ip != nil {
|
||||||
// We should probably use a ready library for this.
|
// We should probably use a ready library for this.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue