Ensure the host is not a local IP.

Author: RubenVerborgh

lib/handlers/proxy.js

@@ -4,6 +4,7 @@ const proxy = require('http-proxy-middleware')
 const cors = require('cors')
 const debug = require('../debug')
 const url = require('url')
+const dns = require('dns')
 const isIp = require('is-ip')
 const ipRange = require('ip-range-check')
 const validUrl = require('valid-url')
@@ -20,7 +21,12 @@ const PROXY_SETTINGS = {
   router: req => req.destination.target,
   pathRewrite: (path, req) => req.destination.path
 }
-const LOCAL_IP_RANGES = ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
+const LOCAL_IP_RANGES = [
+  '10.0.0.0/8',
+  '127.0.0.0/8',
+  '172.16.0.0/12',
+  '192.168.0.0/16'
+]
 
 // Adds a CORS proxy handler to the application on the given path
 function addCorsProxyHandler (app, path) {
@@ -40,14 +46,21 @@ function extractProxyConfig (req, res, next) {
     return res.status(400).send(`Invalid URL passed: ${uri || '(none)'}`)
   }
 
-  // Ensure the host is not a local IP
-  // TODO: guard against hostnames such as 'localhost' as well
+  // Parse the URL and retrieve its host's IP address
   const { protocol, host, hostname, path } = url.parse(uri)
-  if (isIp(hostname) && LOCAL_IP_RANGES.some(r => ipRange(hostname, r))) {
-    return res.status(400).send(`Cannot proxy ${uri}`)
+  if (isIp(hostname)) {
+    addProxyConfig(null, hostname)
+  } else {
+    dns.lookup(hostname, addProxyConfig)
   }
 
-  // Add the proxy configuration to the request
-  req.destination = { path, target: `${protocol}//${host}` }
-  next()
+  // Verifies and adds the proxy configuration to the request
+  function addProxyConfig (error, hostAddress) {
+    // Ensure the host is not a local IP
+    if (error || LOCAL_IP_RANGES.some(r => ipRange(hostAddress, r))) {
+      return res.status(400).send(`Cannot proxy ${uri}`)
+    }
+    req.destination = { path, target: `${protocol}//${host}` }
+    next()
+  }
 }

test/integration/proxy.js

@@ -15,8 +15,8 @@ describe('proxy', () => {
   var server = supertest(ldp)
 
   it('should return the website in /proxy?uri', (done) => {
-    nock('https://amazingwebsite.tld').get('/').reply(200)
-    server.get('/proxy?uri=https://amazingwebsite.tld/')
+    nock('https://example.org').get('/').reply(200)
+    server.get('/proxy?uri=https://example.org/')
       .expect(200, done)
   })
 
@@ -28,10 +28,21 @@ describe('proxy', () => {
       .end(done)
   })
 
-  it('should return 400 on local network requests', (done) => {
-    nock('https://192.168.0.0').get('/').reply(200)
-    server.get('/proxy?uri=https://192.168.0.0/')
-      .expect('Cannot proxy https://192.168.0.0/')
+  const LOCAL_IPS = ['127.0.0.0', '10.0.0.0', '172.16.0.0', '192.168.0.0']
+  LOCAL_IPS.forEach(ip => {
+    it(`should return 400 for a ${ip} address`, (done) => {
+      nock(`https://${ip}`).get('/').reply(200)
+      server.get(`/proxy?uri=https://${ip}/`)
+        .expect(`Cannot proxy https://${ip}/`)
+        .expect(400)
+        .end(done)
+    })
+  })
+
+  it('should return 400 with a local hostname', (done) => {
+    nock('https://nic.localhost').get('/').reply(200)
+    server.get('/proxy?uri=https://nic.localhost/')
+      .expect('Cannot proxy https://nic.localhost/')
       .expect(400)
       .end(done)
   })
@@ -51,7 +62,7 @@ describe('proxy', () => {
   })
 
   it('should return the same headers of proxied request', (done) => {
-    nock('https://amazingwebsite.tld')
+    nock('https://example.org')
       .get('/')
       .reply(function (uri, req) {
         if (this.req.headers['accept'] !== 'text/turtle') {
@@ -64,7 +75,7 @@ describe('proxy', () => {
         }
       })
 
-    server.get('/proxy?uri=https://amazingwebsite.tld/')
+    server.get('/proxy?uri=https://example.org/')
       .set('test', 'test1')
       .set('accept', 'text/turtle')
       .expect(200)
@@ -75,8 +86,8 @@ describe('proxy', () => {
   })
 
   it('should also work on /proxy/ ?uri', (done) => {
-    nock('https://amazingwebsite.tld').get('/').reply(200)
-    server.get('/proxy/?uri=https://amazingwebsite.tld/')
+    nock('https://example.org').get('/').reply(200)
+    server.get('/proxy/?uri=https://example.org/')
       .expect((a) => {
         assert.equal(a.header['link'], null)
       })
@@ -87,31 +98,31 @@ describe('proxy', () => {
     async.parallel([
       // 500
       (next) => {
-        nock('https://amazingwebsite.tld').get('/404').reply(404)
-        server.get('/proxy/?uri=https://amazingwebsite.tld/404')
+        nock('https://example.org').get('/404').reply(404)
+        server.get('/proxy/?uri=https://example.org/404')
           .expect(404, next)
       },
       (next) => {
-        nock('https://amazingwebsite.tld').get('/401').reply(401)
-        server.get('/proxy/?uri=https://amazingwebsite.tld/401')
+        nock('https://example.org').get('/401').reply(401)
+        server.get('/proxy/?uri=https://example.org/401')
           .expect(401, next)
       },
       (next) => {
-        nock('https://amazingwebsite.tld').get('/500').reply(500)
-        server.get('/proxy/?uri=https://amazingwebsite.tld/500')
+        nock('https://example.org').get('/500').reply(500)
+        server.get('/proxy/?uri=https://example.org/500')
           .expect(500, next)
       },
       (next) => {
-        nock('https://amazingwebsite.tld').get('/').reply(200)
-        server.get('/proxy/?uri=https://amazingwebsite.tld/')
+        nock('https://example.org').get('/').reply(200)
+        server.get('/proxy/?uri=https://example.org/')
           .expect(200, next)
       }
     ], done)
   })
 
   it('should work with cors', (done) => {
-    nock('https://amazingwebsite.tld').get('/').reply(200)
-    server.get('/proxy/?uri=https://amazingwebsite.tld/')
+    nock('https://example.org').get('/').reply(200)
+    server.get('/proxy/?uri=https://example.org/')
       .set('Origin', 'http://example.com')
       .expect('Access-Control-Allow-Origin', 'http://example.com')
       .expect(200, done)