Block Private URLs at serverurl API endpoint (#3295)

* Block Private URLs at `serverurl` API endpoint * Block Private URLs at `serverurl` with `net/netip`
2025-11-03 04:27:18 +08:00 · 2023-09-07 08:58:15 +05:30
parent 50c4c1a5c7
commit 062de79920
2 changed files with 19 additions and 0 deletions
--- a/controllers/admin/config.go
+++ b/controllers/admin/config.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"reflect"
@ -406,6 +407,14 @@ func SetServerURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Block Private IP URLs
+	ipAddr, ipErr := netip.ParseAddr(utils.GetHostnameWithoutPortFromURLString(rawValue))
+
+	if ipErr == nil && ipAddr.IsPrivate() {
+		controllers.WriteSimpleResponse(w, false, "Server URL cannot be private")
+		return
+	}
+
 	// Trim any trailing slash
 	serverURL := strings.TrimRight(rawValue, "/")