1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2025-01-23 07:18:59 +01:00

Prevent DNS leak when icon regex is configured

When a icon blacklist regex was configured to not check for a domain, it
still did a DNS lookup first. This could cause a DNS leakage for these
regex blocked domains.

This PR resolves this issue by first checking the regex, and afterwards
the other checks.

Fixes #2909
Dieser Commit ist enthalten in:
BlackDex 2022-11-14 17:25:44 +01:00
Ursprung 7a7673103f
Commit 0d2399d485
Es konnte kein GPG-Schlüssel zu dieser Signatur gefunden werden
GPG-Schlüssel-ID: 58C80A2AA6C765E1
2 geänderte Dateien mit 14 neuen und 11 gelöschten Zeilen

Datei anzeigen

@ -262,17 +262,8 @@ use cached::proc_macro::cached;
#[cached(key = "String", convert = r#"{ domain.to_string() }"#, size = 16, time = 60)]
#[allow(clippy::unused_async)] // This is needed because cached causes a false-positive here.
async fn is_domain_blacklisted(domain: &str) -> bool {
if CONFIG.icon_blacklist_non_global_ips() {
if let Ok(s) = lookup_host((domain, 0)).await {
for addr in s {
if !is_global(addr.ip()) {
debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
return true;
}
}
}
}
// First check the blacklist regex if there is a match.
// This prevents the blocked domain(s) from being leaked via a DNS lookup.
if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
// Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
let is_match = if let Some(regex) = ICON_BLACKLIST_REGEX.get(&blacklist) {
@ -297,6 +288,18 @@ async fn is_domain_blacklisted(domain: &str) -> bool {
return true;
}
}
if CONFIG.icon_blacklist_non_global_ips() {
if let Ok(s) = lookup_host((domain, 0)).await {
for addr in s {
if !is_global(addr.ip()) {
debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
return true;
}
}
}
}
false
}

Binäre Datei nicht angezeigt.

Vorher

Breite:  |  Höhe:  |  Größe: 331 B

Nachher

Breite:  |  Höhe:  |  Größe: 483 B