Block direct requests to private IPs (#529)

Chatterino · Sep 13, 2023 · 6716075 · 6716075
1 parent e000a93
commit 6716075
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- Minor: Block direct requests to private IPs. (#529)
 - Breaking: Remove the `/twitchemotes/` endpoints. See [issue 332](https://github.com/Chatterino/api/issues/332) for more information. (#465)
 - Minor: Use Twitter OG tags if no Twitter credentials are configured. (#522)
 - Minor: Support `x.com` for tweets. (#527)

diff --git a/internal/resolvers/default/link_resolver.go b/internal/resolvers/default/link_resolver.go
@@ -3,6 +3,7 @@ package defaultresolver
 import (
 	"context"
 	"errors"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -44,6 +45,11 @@ func (r *LinkResolver) shouldIgnore(u *url.URL) bool {
 		return true
 	}
 
+	ip := net.ParseIP(u.Host)
+	if ip != nil && ip.IsPrivate() {
+		return true
+	}
+
 	return false
 }