mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 02:19:27 +08:00
68b4fe4cf8
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
41 lines
1.2 KiB
Ruby
41 lines
1.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class FinalDestination::HTTP < Net::HTTP
|
|
def connect
|
|
original_open_timeout = @open_timeout
|
|
return super if @ipaddr
|
|
|
|
timeout_at = current_time + @open_timeout
|
|
|
|
# This iteration through addresses would normally happen in Socket#tcp
|
|
# We do it here because we're tightly controlling addresses rather than
|
|
# handing Socket#tcp a hostname
|
|
ips = FinalDestination::SSRFDetector.lookup_and_filter_ips(@address, timeout: @connect_timeout)
|
|
|
|
ips.each_with_index do |ip, index|
|
|
debug "[FinalDestination] Attempting connection to #{ip}..."
|
|
self.ipaddr = ip
|
|
|
|
remaining_time = timeout_at - current_time
|
|
if remaining_time <= 0
|
|
raise Net::OpenTimeout.new("Operation timed out - FinalDestination::HTTP")
|
|
end
|
|
|
|
@open_timeout = remaining_time
|
|
return super
|
|
rescue SystemCallError, Net::OpenTimeout => e
|
|
debug "[FinalDestination] Error connecting to #{ip}... #{e.message}"
|
|
was_last_attempt = index == ips.length - 1
|
|
raise if was_last_attempt
|
|
end
|
|
ensure
|
|
@open_timeout = original_open_timeout
|
|
end
|
|
|
|
private
|
|
|
|
def current_time
|
|
Process.clock_gettime(Process::CLOCK_MONOTONIC)
|
|
end
|
|
end
|