7 Commits

Author	SHA1	Message	Date
Ted Johansson	d133692605	SECURITY: Add FinalDestination::FastImage that's SSRF safe	2023-03-16 16:25:48 -06:00
Alan Guo Xiang Tan	87032e87ea	SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses ... As part of this commit, we've also expanded our list of private IP ranges based on https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml and https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml	2023-03-16 16:25:48 -06:00
Sam	f6dc6da3f8	DEV: avoid mocking FinalDestination (#20570)	2023-03-09 08:46:41 +08:00
David Taylor	6417173082	DEV: Apply syntax_tree formatting to lib/*	2023-01-09 12:10:19 +00:00
Ted Johansson	06db264f24	FIX: Gracefully handle DNS issued from SSRF lookup when inline oneboxing (#19631) ... There is an issue where chat message processing breaks due to unhandles `SocketError` exceptions originating in the SSRF check, specifically in `FinalDestination::Resolver`. This change gives `FinalDestination::SSRFDetector` a new error class to wrap the `SocketError` in, and haves the `RetrieveTitle` class handle that error gracefully.	2022-12-28 10:30:20 +08:00
David Taylor	f1ec8c869a	DEV: Fix FinalDestination::Resolver race condition (#19558) ... We were adding to the resolver's work queue before setting up the `@lookup` and `@parent` information. That could lead to the lookup being performed on the wrong (or `nil`) hostname. This also lead to some flakiness in specs.	2022-12-21 16:02:24 +00:00
David Taylor	68b4fe4cf8	SECURITY: Expand and improve SSRF Protections (#18815) ... See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>	2022-11-01 16:33:17 +00:00