sendico/api/edge/callbacks/internal/security/service.go

package security

import (
	"context"
	"net"
	"net/netip"
	"net/url"
	"strconv"
	"strings"
	"time"

	"github.com/tech/sendico/pkg/merrors"
)

type service struct {
	requireHTTPS bool
	allowedHosts map[string]struct{}
	allowedPorts map[int]struct{}
	dnsTimeout   time.Duration
	resolver     *net.Resolver
}

// New creates URL validator.
func New(cfg Config) Validator {
	hosts := make(map[string]struct{}, len(cfg.AllowedHosts))
	for _, host := range cfg.AllowedHosts {
		h := strings.ToLower(strings.TrimSpace(host))
		if h == "" {
			continue
		}
		hosts[h] = struct{}{}
	}
	ports := make(map[int]struct{}, len(cfg.AllowedPorts))
	for _, port := range cfg.AllowedPorts {
		if port > 0 {
			ports[port] = struct{}{}
		}
	}

	timeout := time.Duration(cfg.DNSResolveTimeout) * time.Millisecond
	if timeout <= 0 {
		timeout = 2 * time.Second
	}

	return &service{
		requireHTTPS: cfg.RequireHTTPS,
		allowedHosts: hosts,
		allowedPorts: ports,
		dnsTimeout:   timeout,
		resolver:     net.DefaultResolver,
	}
}

func (s *service) ValidateURL(ctx context.Context, target string) error {
	parsed, err := url.Parse(strings.TrimSpace(target))
	if err != nil {
		return merrors.InvalidArgumentWrap(err, "invalid callback URL", "url")
	}
	if parsed == nil || parsed.Host == "" {
		return merrors.InvalidArgument("callback URL host is required", "url")
	}
	if parsed.User != nil {
		return merrors.InvalidArgument("callback URL credentials are not allowed", "url")
	}
	if s.requireHTTPS && !strings.EqualFold(parsed.Scheme, "https") {
		return merrors.InvalidArgument("callback URL must use HTTPS", "url")
	}

	host := strings.ToLower(strings.TrimSpace(parsed.Hostname()))
	if host == "" {
		return merrors.InvalidArgument("callback URL host is empty", "url")
	}
	if len(s.allowedHosts) > 0 {
		if _, ok := s.allowedHosts[host]; !ok {
			return merrors.InvalidArgument("callback host is not in allowlist", "url.host")
		}
	}

	port, err := resolvePort(parsed)
	if err != nil {
		return err
	}
	if len(s.allowedPorts) > 0 {
		if _, ok := s.allowedPorts[port]; !ok {
			return merrors.InvalidArgument("callback URL port is not allowed", "url.port")
		}
	}

	if addr, addrErr := netip.ParseAddr(host); addrErr == nil {
		if isBlocked(addr) {
			return merrors.InvalidArgument("callback URL resolves to blocked IP range", "url")
		}
		return nil
	}

	lookupCtx := ctx
	if lookupCtx == nil {
		lookupCtx = context.Background()
	}
	lookupCtx, cancel := context.WithTimeout(lookupCtx, s.dnsTimeout)
	defer cancel()

	ips, err := s.resolver.LookupIPAddr(lookupCtx, host)
	if err != nil {
		return merrors.InternalWrap(err, "failed to resolve callback host")
	}
	if len(ips) == 0 {
		return merrors.InvalidArgument("callback host did not resolve", "url.host")
	}
	for _, ip := range ips {
		if ip.IP == nil {
			continue
		}
		addr, ok := netip.AddrFromSlice(ip.IP)
		if ok && isBlocked(addr) {
			return merrors.InvalidArgument("callback URL resolves to blocked IP range", "url.host")
		}
	}

	return nil
}

func resolvePort(parsed *url.URL) (int, error) {
	if parsed == nil {
		return 0, merrors.InvalidArgument("callback URL is required", "url")
	}
	portStr := strings.TrimSpace(parsed.Port())
	if portStr == "" {
		if strings.EqualFold(parsed.Scheme, "https") {
			return 443, nil
		}
		if strings.EqualFold(parsed.Scheme, "http") {
			return 80, nil
		}
		return 0, merrors.InvalidArgument("callback URL scheme is not supported", "url.scheme")
	}

	port, err := strconv.Atoi(portStr)
	if err != nil || port <= 0 || port > 65535 {
		return 0, merrors.InvalidArgument("callback URL port is invalid", "url.port")
	}

	return port, nil
}

func isBlocked(ip netip.Addr) bool {
	if !ip.IsValid() {
		return true
	}
	if ip.IsLoopback() || ip.IsPrivate() || ip.IsMulticast() || ip.IsUnspecified() {
		return true
	}
	if ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
		return true
	}

	// Block common cloud metadata endpoint.
	if ip.Is4() && ip.String() == "169.254.169.254" {
		return true
	}

	return false
}