195 lines
5.2 KiB
Go
195 lines
5.2 KiB
Go
package security
|
|
|
|
import (
|
|
"context"
|
|
"net"
|
|
"net/netip"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/tech/sendico/pkg/merrors"
|
|
"github.com/tech/sendico/pkg/mlogger"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
type service struct {
|
|
logger mlogger.Logger
|
|
requireHTTPS bool
|
|
allowedHosts map[string]struct{}
|
|
allowedPorts map[int]struct{}
|
|
dnsTimeout time.Duration
|
|
resolver *net.Resolver
|
|
}
|
|
|
|
// New creates URL validator.
|
|
func New(logger mlogger.Logger, cfg Config) Validator {
|
|
if logger == nil {
|
|
logger = zap.NewNop()
|
|
}
|
|
|
|
hosts := make(map[string]struct{}, len(cfg.AllowedHosts))
|
|
for _, host := range cfg.AllowedHosts {
|
|
h := strings.ToLower(strings.TrimSpace(host))
|
|
if h == "" {
|
|
continue
|
|
}
|
|
hosts[h] = struct{}{}
|
|
}
|
|
ports := make(map[int]struct{}, len(cfg.AllowedPorts))
|
|
for _, port := range cfg.AllowedPorts {
|
|
if port > 0 {
|
|
ports[port] = struct{}{}
|
|
}
|
|
}
|
|
|
|
timeout := time.Duration(cfg.DNSResolveTimeout) * time.Millisecond
|
|
if timeout <= 0 {
|
|
timeout = 2 * time.Second
|
|
}
|
|
|
|
return &service{
|
|
logger: logger.Named("security"),
|
|
requireHTTPS: cfg.RequireHTTPS,
|
|
allowedHosts: hosts,
|
|
allowedPorts: ports,
|
|
dnsTimeout: timeout,
|
|
resolver: net.DefaultResolver,
|
|
}
|
|
}
|
|
|
|
func (s *service) ValidateURL(ctx context.Context, target string) error {
|
|
parsed, err := url.Parse(strings.TrimSpace(target))
|
|
if err != nil {
|
|
s.logger.Warn("Failed to parse callback URL", zap.Error(err))
|
|
return merrors.InvalidArgumentWrap(err, "invalid callback URL", "url")
|
|
}
|
|
if parsed == nil || parsed.Host == "" {
|
|
s.logger.Warn("Callback URL host is required")
|
|
return merrors.InvalidArgument("callback URL host is required", "url")
|
|
}
|
|
if parsed.User != nil {
|
|
s.logger.Warn("Rejected callback URL with credentials", zap.String("host", parsed.Hostname()))
|
|
return merrors.InvalidArgument("callback URL credentials are not allowed", "url")
|
|
}
|
|
if s.requireHTTPS && !strings.EqualFold(parsed.Scheme, "https") {
|
|
s.logger.Warn("Rejected callback URL due to non-https scheme",
|
|
zap.String("scheme", parsed.Scheme),
|
|
zap.String("host", parsed.Hostname()),
|
|
)
|
|
return merrors.InvalidArgument("callback URL must use HTTPS", "url")
|
|
}
|
|
|
|
host := strings.ToLower(strings.TrimSpace(parsed.Hostname()))
|
|
if host == "" {
|
|
s.logger.Warn("Callback URL host is empty")
|
|
return merrors.InvalidArgument("callback URL host is empty", "url")
|
|
}
|
|
if len(s.allowedHosts) > 0 {
|
|
if _, ok := s.allowedHosts[host]; !ok {
|
|
s.logger.Warn("Rejected callback host not present in allowlist", zap.String("host", host))
|
|
return merrors.InvalidArgument("callback host is not in allowlist", "url.host")
|
|
}
|
|
}
|
|
|
|
port, err := resolvePort(parsed)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(s.allowedPorts) > 0 {
|
|
if _, ok := s.allowedPorts[port]; !ok {
|
|
s.logger.Warn("Rejected callback URL port not present in allowlist",
|
|
zap.String("host", host),
|
|
zap.Int("port", port),
|
|
)
|
|
return merrors.InvalidArgument("callback URL port is not allowed", "url.port")
|
|
}
|
|
}
|
|
|
|
if addr, addrErr := netip.ParseAddr(host); addrErr == nil {
|
|
if isBlocked(addr) {
|
|
s.logger.Warn("Rejected callback URL with blocked IP address",
|
|
zap.String("host", host),
|
|
zap.String("ip", addr.String()),
|
|
)
|
|
return merrors.InvalidArgument("callback URL resolves to blocked IP range", "url")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
lookupCtx := ctx
|
|
if lookupCtx == nil {
|
|
lookupCtx = context.Background()
|
|
}
|
|
lookupCtx, cancel := context.WithTimeout(lookupCtx, s.dnsTimeout)
|
|
defer cancel()
|
|
|
|
ips, err := s.resolver.LookupIPAddr(lookupCtx, host)
|
|
if err != nil {
|
|
s.logger.Warn("Failed to resolve callback host", zap.String("host", host), zap.Error(err))
|
|
return merrors.InternalWrap(err, "failed to resolve callback host")
|
|
}
|
|
if len(ips) == 0 {
|
|
s.logger.Warn("Callback host did not resolve", zap.String("host", host))
|
|
return merrors.InvalidArgument("callback host did not resolve", "url.host")
|
|
}
|
|
for _, ip := range ips {
|
|
if ip.IP == nil {
|
|
continue
|
|
}
|
|
addr, ok := netip.AddrFromSlice(ip.IP)
|
|
if ok && isBlocked(addr) {
|
|
s.logger.Warn("Rejected callback URL resolving to blocked IP address",
|
|
zap.String("host", host),
|
|
zap.String("ip", addr.String()),
|
|
)
|
|
return merrors.InvalidArgument("callback URL resolves to blocked IP range", "url.host")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func resolvePort(parsed *url.URL) (int, error) {
|
|
if parsed == nil {
|
|
return 0, merrors.InvalidArgument("callback URL is required", "url")
|
|
}
|
|
portStr := strings.TrimSpace(parsed.Port())
|
|
if portStr == "" {
|
|
if strings.EqualFold(parsed.Scheme, "https") {
|
|
return 443, nil
|
|
}
|
|
if strings.EqualFold(parsed.Scheme, "http") {
|
|
return 80, nil
|
|
}
|
|
return 0, merrors.InvalidArgument("callback URL scheme is not supported", "url.scheme")
|
|
}
|
|
|
|
port, err := strconv.Atoi(portStr)
|
|
if err != nil || port <= 0 || port > 65535 {
|
|
return 0, merrors.InvalidArgument("callback URL port is invalid", "url.port")
|
|
}
|
|
|
|
return port, nil
|
|
}
|
|
|
|
func isBlocked(ip netip.Addr) bool {
|
|
if !ip.IsValid() {
|
|
return true
|
|
}
|
|
if ip.IsLoopback() || ip.IsPrivate() || ip.IsMulticast() || ip.IsUnspecified() {
|
|
return true
|
|
}
|
|
if ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
|
|
return true
|
|
}
|
|
|
|
// Block common cloud metadata endpoint.
|
|
if ip.Is4() && ip.String() == "169.254.169.254" {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|