Madeorsk/rudeshark.net
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: veiry url

Browse Source
This commit is contained in:
Namekuji 2023-08-18 04:57:19 -04:00
parent 36c9d5a870
commit 5520c6ff3d
No known key found for this signature in database
GPG Key ID: 1D62332C07FBA532
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
packages/backend/src/services/drive/upload-from-url.ts
View File

@ -23,6 +23,9 @@ type Args = {
requestHeaders?: Record<string, string> | null; requestHeaders?: Record<string, string> | null;
}; };
const PRIVATE_IP =
/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/;
export async function uploadFromUrl({ export async function uploadFromUrl({
url, url,
user, user,
@ -35,7 +38,15 @@ export async function uploadFromUrl({
requestIp = null, requestIp = null,
requestHeaders = null, requestHeaders = null,
}: Args): Promise<DriveFile> { }: Args): Promise<DriveFile> {
let name = new URL(url).pathname.split("/").pop() || null; const parsedUrl = new URL(url);
if (
process.env.NODE_ENV === "production" &&
PRIVATE_IP.test(parsedUrl.hostname)
) {
throw new Error("Private IP is not allowed");
}
let name = parsedUrl.pathname.split("/").pop() || null;
if (name == null || !DriveFiles.validateFileName(name)) { if (name == null || !DriveFiles.validateFileName(name)) {
name = null; name = null;
} }