@@ 9,6 9,7 @@ import (
"html/template"
"log"
"mime"
+ "net"
"net/http"
"net/url"
"os"
@@ 254,6 255,12 @@ func main() {
tokenResp = &oauth2.TokenResp{
AccessToken: r.FormValue("token"),
}
+
+ if err := sanityCheckEndpoint(r.Context(), endpoint); err != nil {
+ log.Printf("sanity check failed for Gitea endpoint %q: %v", endpoint, err)
+ http.Error(w, "invalid endpoint", http.StatusBadRequest)
+ return
+ }
} else {
endpoint = giteaEndpoint
@@ 510,3 517,26 @@ func disableRepo(ctx context.Context, owner, repo, origin string) error {
return nil
}
+
+func sanityCheckEndpoint(ctx context.Context, endpoint string) error {
+ u, err := url.Parse(endpoint)
+ if err != nil {
+ return err
+ }
+ if u.Scheme != "https" {
+ return fmt.Errorf("scheme must be HTTPS")
+ }
+
+ ips, err := net.DefaultResolver.LookupIP(ctx, "ip", u.Host)
+ if err != nil {
+ return fmt.Errorf("DNS lookup failed: %v", err)
+ }
+
+ for _, ip := range ips {
+ if ip.IsLoopback() || ip.IsMulticast() || ip.IsPrivate() {
+ return fmt.Errorf("invalid IP %v", ip)
+ }
+ }
+
+ return nil
+}