From e5e7a15a85723f629ce501569cedc54d3d4334b8 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Tue, 23 May 2017 13:07:18 -0400
Subject: [PATCH] SECURITY: Never crawl by IP

---
 lib/final_destination.rb                  | 11 ++++-------
 spec/components/final_destination_spec.rb |  5 +++++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/final_destination.rb b/lib/final_destination.rb
index 9f8c9d34ee3..bf581c91ae4 100644
--- a/lib/final_destination.rb
+++ b/lib/final_destination.rb
@@ -68,14 +68,11 @@ class FinalDestination
   def validate_uri_format
     return false unless @uri
     return false unless ['https', 'http'].include?(@uri.scheme)
+    return false if @uri.scheme == 'http' && @uri.port != 80
+    return false if @uri.scheme == 'https' && @uri.port != 443
 
-    if @uri.scheme == 'http'
-      return @uri.port == 80
-    elsif @uri.scheme == 'https'
-      return @uri.port == 443
-    end
-
-    false
+    # Disallow IP based crawling
+    (IPAddr.new(@uri.hostname) rescue nil).nil?
   end
 
   def is_public?
diff --git a/spec/components/final_destination_spec.rb b/spec/components/final_destination_spec.rb
index f78825df35c..4b0b8b9fd2e 100644
--- a/spec/components/final_destination_spec.rb
+++ b/spec/components/final_destination_spec.rb
@@ -123,6 +123,11 @@ describe FinalDestination do
       expect(fd('ftp://eviltrout.com').validate_uri_format).to eq(false)
     end
 
+    it "doesn't support IP urls" do
+      expect(fd('http://104.25.152.10').validate_uri_format).to eq(false)
+      expect(fd('https://[2001:abc:de:01:0:3f0:6a65:c2bf]').validate_uri_format).to eq(false)
+    end
+
     it "returns false for schemeless URL" do
       expect(fd('eviltrout.com').validate_uri_format).to eq(false)
     end