~emersion/yojo

058d5ce05d22581572d77ba6ae6645b86d1a515f — Simon Ser 1 year, 7 months ago 8f77e3b
Sanity check custom Gitea URLs
1 files changed, 30 insertions(+), 0 deletions(-)

M main.go
M main.go => main.go +30 -0
@@ 9,6 9,7 @@ import (
	"html/template"
	"log"
	"mime"
	"net"
	"net/http"
	"net/url"
	"os"


@@ 254,6 255,12 @@ func main() {
			tokenResp = &oauth2.TokenResp{
				AccessToken: r.FormValue("token"),
			}

			if err := sanityCheckEndpoint(r.Context(), endpoint); err != nil {
				log.Printf("sanity check failed for Gitea endpoint %q: %v", endpoint, err)
				http.Error(w, "invalid endpoint", http.StatusBadRequest)
				return
			}
		} else {
			endpoint = giteaEndpoint



@@ 510,3 517,26 @@ func disableRepo(ctx context.Context, owner, repo, origin string) error {

	return nil
}

func sanityCheckEndpoint(ctx context.Context, endpoint string) error {
	u, err := url.Parse(endpoint)
	if err != nil {
		return err
	}
	if u.Scheme != "https" {
		return fmt.Errorf("scheme must be HTTPS")
	}

	ips, err := net.DefaultResolver.LookupIP(ctx, "ip", u.Host)
	if err != nil {
		return fmt.Errorf("DNS lookup failed: %v", err)
	}

	for _, ip := range ips {
		if ip.IsLoopback() || ip.IsMulticast() || ip.IsPrivate() {
			return fmt.Errorf("invalid IP %v", ip)
		}
	}

	return nil
}