mirror of
https://github.com/pixelfed/pixelfed.git
synced 2024-11-25 15:55:22 +00:00
Update AP Helpers, improve url validation and add optional dns verification, disabled by default
This commit is contained in:
parent
a00a520bf3
commit
2bef3e415d
3 changed files with 54 additions and 17 deletions
28
app/Services/DomainService.php
Normal file
28
app/Services/DomainService.php
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Services;
|
||||||
|
|
||||||
|
use Illuminate\Support\Facades\Cache;
|
||||||
|
use Illuminate\Support\Facades\Redis;
|
||||||
|
|
||||||
|
class DomainService
|
||||||
|
{
|
||||||
|
const CACHE_KEY = 'pf:services:domains:';
|
||||||
|
|
||||||
|
public static function hasValidDns($domain)
|
||||||
|
{
|
||||||
|
if(!$domain || !strlen($domain) || strpos($domain, '.') == -1) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(config('security.url.trusted_domains')) {
|
||||||
|
if(in_array($domain, explode(',', config('security.url.trusted_domains')))) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return Cache::remember(self::CACHE_KEY . 'valid-dns:' . $domain, 14400, function() use($domain) {
|
||||||
|
return count(dns_get_record($domain, DNS_A | DNS_AAAA)) > 0;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
|
@ -40,6 +40,7 @@ use App\Models\Poll;
|
||||||
use Illuminate\Contracts\Cache\LockTimeoutException;
|
use Illuminate\Contracts\Cache\LockTimeoutException;
|
||||||
use App\Jobs\ProfilePipeline\IncrementPostCount;
|
use App\Jobs\ProfilePipeline\IncrementPostCount;
|
||||||
use App\Jobs\ProfilePipeline\DecrementPostCount;
|
use App\Jobs\ProfilePipeline\DecrementPostCount;
|
||||||
|
use App\Services\DomainService;
|
||||||
use App\Services\UserFilterService;
|
use App\Services\UserFilterService;
|
||||||
|
|
||||||
class Helpers {
|
class Helpers {
|
||||||
|
@ -168,17 +169,24 @@ class Helpers {
|
||||||
|
|
||||||
$hash = hash('sha256', $url);
|
$hash = hash('sha256', $url);
|
||||||
$key = "helpers:url:valid:sha256-{$hash}";
|
$key = "helpers:url:valid:sha256-{$hash}";
|
||||||
$ttl = now()->addMinutes(5);
|
|
||||||
|
|
||||||
$valid = Cache::remember($key, $ttl, function() use($url) {
|
$valid = Cache::remember($key, 900, function() use($url) {
|
||||||
$localhosts = [
|
$localhosts = [
|
||||||
'127.0.0.1', 'localhost', '::1'
|
'127.0.0.1', 'localhost', '::1'
|
||||||
];
|
];
|
||||||
|
|
||||||
if(mb_substr($url, 0, 8) !== 'https://') {
|
if(strtolower(mb_substr($url, 0, 8)) !== 'https://') {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(substr_count($url, '://') !== 1) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(mb_substr($url, 0, 8) !== 'https://') {
|
||||||
|
$url = 'https://' . substr($url, 8);
|
||||||
|
}
|
||||||
|
|
||||||
$valid = filter_var($url, FILTER_VALIDATE_URL);
|
$valid = filter_var($url, FILTER_VALIDATE_URL);
|
||||||
|
|
||||||
if(!$valid) {
|
if(!$valid) {
|
||||||
|
@ -187,15 +195,12 @@ class Helpers {
|
||||||
|
|
||||||
$host = parse_url($valid, PHP_URL_HOST);
|
$host = parse_url($valid, PHP_URL_HOST);
|
||||||
|
|
||||||
// if(count(dns_get_record($host, DNS_A | DNS_AAAA)) == 0) {
|
if(in_array($host, $localhosts)) {
|
||||||
// return false;
|
return false;
|
||||||
// }
|
}
|
||||||
|
|
||||||
if(config('costar.enabled') == true) {
|
if(config('security.url.verify_dns')) {
|
||||||
if(
|
if(DomainService::hasValidDns($host) === false) {
|
||||||
(config('costar.domain.block') != null && Str::contains($host, config('costar.domain.block')) == true) ||
|
|
||||||
(config('costar.actor.block') != null && in_array($url, config('costar.actor.block')) == true)
|
|
||||||
) {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -207,11 +212,6 @@ class Helpers {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if(in_array($host, $localhosts)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return $url;
|
return $url;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -224,7 +224,7 @@ class Helpers {
|
||||||
if($url == true) {
|
if($url == true) {
|
||||||
$domain = config('pixelfed.domain.app');
|
$domain = config('pixelfed.domain.app');
|
||||||
$host = parse_url($url, PHP_URL_HOST);
|
$host = parse_url($url, PHP_URL_HOST);
|
||||||
$url = $domain === $host ? $url : false;
|
$url = strtolower($domain) === strtolower($host) ? $url : false;
|
||||||
return $url;
|
return $url;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
|
|
9
config/security.php
Normal file
9
config/security.php
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
return [
|
||||||
|
'url' => [
|
||||||
|
'verify_dns' => env('PF_SECURITY_URL_VERIFY_DNS', false),
|
||||||
|
|
||||||
|
'trusted_domains' => env('PF_SECURITY_URL_TRUSTED_DOMAINS', 'pixelfed.social,pixelfed.art,mastodon.social'),
|
||||||
|
]
|
||||||
|
];
|
Loading…
Reference in a new issue