umputun / remark42

85%

master: 84%

LAST BUILD ON BRANCH paskal/image_proxy_blacklist

branch: paskal/image_proxy_blacklist

CHANGE BRANCH

x

Reset

Sync Branches

• paskal/image_proxy_blacklist
• 32/code-colors-styles
• 965-fix-error-on-restricted-words
• Ksinia/master
• add-api-sdk
• add-cssnano
• add-module-type
• admin-edit
• admin_email_notifications
• ak/cleanup-comment-form
• ak/compose-button-styles
• ak/raw-content-styles
• ak/update-node
• akellbl4/editorconfig
• anon-names
• autofill-email-for-subscription
• battle-net-oauth2
• blackfriday
• bluemonday-bump
• bump-deps
• bump_ci_go_version
• bump_lcw
• bump_modules
• bump_tollbooth
• ci-workflows
• code-colors
• code_cleanup
• commento-import
• dependabot/go_modules/backend/_example/memory_store/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/image-0.5.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/net-0.38.0
• dependabot/go_modules/backend/_example/memory_store/golang.org/x/net-0.7.0
• dependabot/go_modules/backend/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/backend/github.com/redis/go-redis/v9-9.7.3
• dependabot/go_modules/backend/go-modules-updates-76e35b2467
• dependabot/go_modules/backend/go-modules-updates-81f599025a
• dependabot/go_modules/backend/go-modules-updates-e61953c257
• dependabot/go_modules/backend/go-modules-updates-f692995c50
• dependabot/go_modules/backend/golang.org/x/net-0.36.0
• dependabot/go_modules/backend/google.golang.org/protobuf-1.33.0
• dependabot/npm_and_yarn/frontend/apps/remark42/npm-modules-updates-33950cb83c
• dependabot/npm_and_yarn/frontend/apps/remark42/npm-modules-updates-for-tests-da749204ba
• dependabot/npm_and_yarn/frontend/e2e/npm-modules-updates-for-tests-32faa27b51
• dependabot/npm_and_yarn/frontend/packages/api/npm-modules-updates-for-tests-f28c5bd690
• dependabot/npm_and_yarn/site/braces-3.0.3
• dependabot/npm_and_yarn/site/ejs-3.1.10
• dependabot/npm_and_yarn/site/luxon-2.5.2
• dependabot/npm_and_yarn/site/micromatch-4.0.8
• dependabot/npm_and_yarn/site/nanoid-3.3.8
• dependabot/npm_and_yarn/site/node-fetch-3.2.10
• dependabot/npm_and_yarn/site/npm-modules-updates-for-tests-284cb22f28
• dependabot/npm_and_yarn/site/npm-modules-updates-for-tests-87ff55c30d
• dependabot/npm_and_yarn/site/ws-8.17.1
• deps-bump
• disqus-empty-username-bug
• disqus-fix
• distributed_cache
• docker_bump
• docs/telegram-group-notifications
• dverhoturov/docker
• dverhoturov/docker_ci_build
• dverhoturov/privatePreview
• dverhoturov/renew_image_on_load
• dverhoturov/validate_image_before_post
• e2e
• editorconfig-double-quotes-yml
• email-encode-subject
• examples-ci-issue
• fix-admin-names
• fix-deprecated-flags
• fix-iframe-resize
• fix-img-submit-import-stuck
• fix-negative-comments-count
• fix/auth-send-jwt-header
• fix_error_wrap
• fix_memory_store_tests_panic
• fix_unclosed_body
• frame-ancestors
• frontend-infrastructure
• full-text-search
• generate-telegram-translations
• github_golangci_lint
• go-1.14
• go-1.17
• go-consistent
• gocritic
• hide-vote-iphash
• image-rpc
• image_interface_fixes
• img_commit_on_start
• img_fixes
• img_route_verification
• img_types
• jwt-migration
• lazy-image
• links-rune
• listen-address
• master
• migrate-to-testing-library
• mkdocs
• move-email-templates-to-separate-files
• move-subscribe-ui-elements
• named-exports
• new-auth
• packages
• paskal/CWE-918
• paskal/allow_dash_in_email_siteid
• paskal/allowed_domains_exact_match
• paskal/allowed_hosts
• paskal/apple
• paskal/apple_bad_key_test
• paskal/apple_frontend
• paskal/aud_per_site
• paskal/auth_fixes
• paskal/better_info
• paskal/borderless_qr
• paskal/bump-ci
• paskal/bump_actions
• paskal/bump_auth
• paskal/bump_chroma
• paskal/bump_dependencies
• paskal/bump_go_modules
• paskal/bump_golangci_lint
• paskal/bump_mockery
• paskal/bump_modules
• paskal/bump_tollbooth
• paskal/clarify_cache_for_frontend
• paskal/clarify_commands
• paskal/clarify_docs
• paskal/clarify_email_notifications
• paskal/clarify_notifications
• paskal/clarify_password
• paskal/clean_stream
• paskal/clean_title_and_username
• paskal/cleanup_images_on_delete
• paskal/close_body
• paskal/comment_validation
• paskal/commento_url
• paskal/comments_pagination
• paskal/consistent_info
• paskal/csp
• paskal/data_race
• paskal/datastore_info_combine
• paskal/debug_verify
• paskal/dependabot
• paskal/deprecate_twitter
• paskal/deprecated_notifications
• paskal/deprecated_params
• paskal/deprecation_update
• paskal/dev_provider
• paskal/disable_md_sanitize
• paskal/discord_poc
• paskal/doc_split
• paskal/docker-compose
• paskal/docker_labels
• paskal/docs
• paskal/docs_from_wiki
• paskal/duplicate_types
• paskal/easy_subscription
• paskal/email
• paskal/email_login_auth
• paskal/email_subscription_post
• paskal/err_fix
• paskal/find_tests
• paskal/fix_avatar_types
• paskal/fix_backup_error
• paskal/fix_commento_import
• paskal/fix_docker
• paskal/fix_double_close
• paskal/fix_email_templates
• paskal/fix_golangci_lint
• paskal/fix_image_proxy
• paskal/fix_img_src_CSP
• paskal/fix_links
• paskal/fix_log
• paskal/fix_logout
• paskal/fix_notify_deprecation
• paskal/fix_refresh_tokens_cache
• paskal/fix_telegram_auth
• paskal/fix_telegram_cli
• paskal/fix_telegram_escape
• paskal/fix_telegram_format
• paskal/fix_ticker
• paskal/fix_timeout
• paskal/fix_variable
• paskal/fix_webhook_json
• paskal/generic_fixes
• paskal/get_rid_of_dockerhub
• paskal/go_embed
• paskal/go_embed_templates
• paskal/golangci-lint-update
• paskal/golangci_lint
• paskal/golangci_lint_v2
• paskal/golangcilint_bump
• paskal/improve_docker_build
• paskal/improve_get_user
• paskal/improve_server_test
• paskal/improve_telegram_flow
• paskal/improve_telegram_notify
• paskal/improve_tests
• paskal/increase_timeout
• paskal/jwt_v5
• paskal/lcw_v2
• paskal/md_ci
• paskal/min_comment_size
• paskal/modules_update
• paskal/moq
• paskal/multiple-admin-emails
• paskal/new_errors
• paskal/new_telegram_key
• paskal/no_getstarted
• paskal/no_mod_vendor
• paskal/no_path
• paskal/notifications_rework
• paskal/notify
• paskal/notify-drops-tail
• paskal/notify_drops_test
• paskal/notify_improvements
• paskal/notify_migration
• paskal/optimise_images
• paskal/pagination_fixes
• paskal/params
• paskal/pngcrush
• paskal/privatePreview
• paskal/proper_site_id
• paskal/raw_quotes
• paskal/readonly_find_test
• paskal/recursive_email_notifications
• paskal/remove-deprecated-func
• paskal/remove_common_shared_secret
• paskal/remove_deprecated_param
• paskal/remove_put
• paskal/renew_cache_on_delete
• paskal/rpc_panic
• paskal/secret-clarify
• paskal/send_jwt_header
• paskal/simlify_boltdb_info
• paskal/simplify_admin_emails
• paskal/simplify_extract_pictures
• paskal/siteid_dot
• paskal/small_improvements
• paskal/telegram-update
• paskal/telegram_auth
• paskal/telegram_channel
• paskal/telegram_notifications
• paskal/telegram_notify
• paskal/telegram_notify_clarity
• paskal/telegram_notify_params
• paskal/test_user_replies
• paskal/tests
• paskal/tests_cleanup
• paskal/tg_qr
• paskal/token_instructions
• paskal/twitter_blockquote_class
• paskal/typos
• paskal/update-go-modules
• paskal/update-gopkgz
• paskal/update-images
• paskal/update_discreet_variables
• paskal/update_doc
• paskal/update_dockerfiles
• paskal/update_go
• paskal/update_modules
• paskal/user_detail_telegram
• patch-1
• patch-2
• patreon-auth
• pkgs-rename
• postmessage-to-child
• proxy_image_commit
• proxy_images
• refactor-before-search
• refs/tags/backend/v1.10.0
• refs/tags/backend/v1.11.0
• refs/tags/backend/v1.11.2
• refs/tags/backend/v1.11.3
• refs/tags/backend/v1.12.0
• refs/tags/backend/v1.13.0
• refs/tags/backend/v1.13.1
• refs/tags/backend/v1.14.0
• refs/tags/backend/v1.6.0
• refs/tags/backend/v1.6.1
• refs/tags/backend/v1.7.0
• refs/tags/backend/v1.7.1
• refs/tags/backend/v1.8.1
• refs/tags/backend/v1.9.0
• refs/tags/backend/v1/11/3
• refs/tags/v.1.9.0
• refs/tags/v1.10.0
• refs/tags/v1.10.1
• refs/tags/v1.11.0
• refs/tags/v1.11.1
• refs/tags/v1.11.2
• refs/tags/v1.11.3
• refs/tags/v1.12.0
• refs/tags/v1.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.30.0
• refs/tags/v1.6.0
• refs/tags/v1.6.1
• refs/tags/v1.7.0
• refs/tags/v1.7.1
• refs/tags/v1.8.0
• refs/tags/v1.8.1
• refs/tags/v1.9.0
• refs/tags/v1.9.1
• refs/tags/v1.9.2
• remark42-pr-fix-quotedprintable-buff-flush
• remark42-pr-fix-smtp-newclient
• remove_golangci_conf
• remove_unused_cache
• same-site
• sameip-correction-vote-728
• sanitize-hotfix-1.6
• sanitize-loactor
• simplify_img_storage
• site
• site_email_notifications
• small-improvements
• switch-to-pnpm
• switch_to_lcw
• termination_fix
• tests_fixes
• tests_golangci_lint
• unsinitize
• upd-backend-deps
• update-comments
• update-docs-1.7
• update-go-version
• use-packages
• user-comments-empy-200
• user-info
• valid-email-auth
• webhook-notify
• workspaces

Build # 10238897249

Build Type

Pull #1804

github

Committed by paskal

Commit Message

Disallow image proxy for private IPs, add blacklist support

This mitigates the problem where a user might probe machines that are
unavailable to the user directly but accessible to the server
hosting Remark42.

Scenarios addressed:

1. A malicious user could learn about the presence of specific software
or hardware running on an internal address. For example, the presence of
an image at `http://192.168.0.1/img/container_bottom_shade_login.png`
can expose the type of router you have.

2. A malicious user might receive non-timeout `invalid content type`
responses from internal addresses, enabling them to scan and identify
HTTP servers running in the internal IP range without revealing their
content but indicating their presence.

The new functionality is breaking, but I assume no one intends to expose
only private network images to the outside world. The old behavior can
be restored by setting the `--image-proxy.allow-private-networks` flag.

Additionally, this change adds the `--image-proxy.blacklist` flag to
allow blacklisting private parts of the infrastructure from being
accessed by the image proxy. You can blacklist IPs (e.g., `8.8.8.8`),
CIDR subnets (e.g., `8.8.8.8/31`), and domains (e.g., `private.example
.com`). Note that all subdomains of a given domain will also be
blacklisted.

`127.0.0.0/8` and `::1/128` ranges are not included as they are most
commonly used for local testing, and it would be cumbersome to prohibit
them. Localhost is considered less of a security threat than probing
other hosts in the network. If desired, localhost can be restricted
using the blacklist functionality.

Pull Request Pull Request #1804: Disallow image proxy for private IPs, add blacklist support

Run Details

68 of 68 new or added lines in 3 files covered. (100.0%)

6047 of 7113 relevant lines covered (85.01%)

32.7 hits per line