block ip URLs
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
This commit is contained in:
parent
7577cf3acd
commit
bb7605e999
4 changed files with 19 additions and 2 deletions
1
Cargo.lock
generated
1
Cargo.lock
generated
|
|
@ -3199,6 +3199,7 @@ dependencies = [
|
|||
"tokio",
|
||||
"toml",
|
||||
"tower-service",
|
||||
"url",
|
||||
"wasm-bindgen",
|
||||
"webp",
|
||||
"worker",
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ cf-worker = ["dep:worker", "dep:worker-macros"]
|
|||
cf-worker-paid = ["cf-worker", "resvg/raster-images", "resvg/text", "image/ico", "panic-console-error"]
|
||||
panic-console-error = ["dep:console_error_panic_hook"]
|
||||
apparmor = ["dep:siphasher", "dep:libc"]
|
||||
reqwest = ["dep:reqwest"]
|
||||
reqwest = ["dep:reqwest", "dep:url"]
|
||||
svg-text = ["resvg/text", "dep:fontdb"]
|
||||
tokio = ["dep:tokio", "axum/tokio"]
|
||||
env_logger = ["dep:env_logger"]
|
||||
|
|
@ -77,6 +77,7 @@ libc = { version = "0.2.162", optional = true }
|
|||
axum-server = { version = "0.7.1", optional = true }
|
||||
fontdb = { version = "0.23", optional = true }
|
||||
webp = { version = "0.3.0", optional = true }
|
||||
url = { version = "2", optional = true }
|
||||
|
||||
[patch.crates-io]
|
||||
# licensing and webp dependencies
|
||||
|
|
|
|||
|
|
@ -147,6 +147,7 @@ pub mod reqwest {
|
|||
use futures::TryStreamExt;
|
||||
use reqwest::dns::Resolve;
|
||||
use std::{net::SocketAddrV4, sync::Arc, time::Duration};
|
||||
use url::Host;
|
||||
|
||||
/// A Safe DNS resolver that only resolves to global addresses unless the requester itself is local.
|
||||
pub struct SafeResolver(AddrFamilyConfig);
|
||||
|
|
@ -308,8 +309,14 @@ pub mod reqwest {
|
|||
}
|
||||
|
||||
let url_parsed = Url::parse(url).map_err(|_| ErrorResponse::bad_url())?;
|
||||
secure &= url_parsed.scheme().eq_ignore_ascii_case("https");
|
||||
if !url_parsed.host().map_or(false, |h| match h {
|
||||
Host::Domain(_) => true,
|
||||
_ => false,
|
||||
}) {
|
||||
return Err(ErrorResponse::non_dns_name());
|
||||
}
|
||||
|
||||
secure &= url_parsed.scheme().eq_ignore_ascii_case("https");
|
||||
if self.https_only && !secure {
|
||||
return Err(ErrorResponse::insecure_request());
|
||||
}
|
||||
|
|
|
|||
|
|
@ -424,6 +424,14 @@ impl Display for ErrorResponse {
|
|||
impl std::error::Error for ErrorResponse {}
|
||||
|
||||
impl ErrorResponse {
|
||||
#[cfg(not(feature = "cf-worker"))]
|
||||
/// URL must be a DNS name
|
||||
pub const fn non_dns_name() -> Self {
|
||||
Self {
|
||||
status: StatusCode::BAD_REQUEST,
|
||||
message: Cow::Borrowed("URL must be a DNS name"),
|
||||
}
|
||||
}
|
||||
/// Entropy source exhausted
|
||||
#[must_use]
|
||||
pub const fn entropy_exhausted() -> Self {
|
||||
|
|
|
|||
Loading…
Reference in a new issue