Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2024-11-22 05:10:29 +01:00
Prevent DNS leak when icon regex is configured
When a icon blacklist regex was configured to not check for a domain, it still did a DNS lookup first. This could cause a DNS leakage for these regex blocked domains. This PR resolves this issue by first checking the regex, and afterwards the other checks. Fixes #2909
Dieser Commit ist enthalten in:
Ursprung
7a7673103f
Commit
0d2399d485
2 geänderte Dateien mit 14 neuen und 11 gelöschten Zeilen
|
@ -262,17 +262,8 @@ use cached::proc_macro::cached;
|
||||||
#[cached(key = "String", convert = r#"{ domain.to_string() }"#, size = 16, time = 60)]
|
#[cached(key = "String", convert = r#"{ domain.to_string() }"#, size = 16, time = 60)]
|
||||||
#[allow(clippy::unused_async)] // This is needed because cached causes a false-positive here.
|
#[allow(clippy::unused_async)] // This is needed because cached causes a false-positive here.
|
||||||
async fn is_domain_blacklisted(domain: &str) -> bool {
|
async fn is_domain_blacklisted(domain: &str) -> bool {
|
||||||
if CONFIG.icon_blacklist_non_global_ips() {
|
// First check the blacklist regex if there is a match.
|
||||||
if let Ok(s) = lookup_host((domain, 0)).await {
|
// This prevents the blocked domain(s) from being leaked via a DNS lookup.
|
||||||
for addr in s {
|
|
||||||
if !is_global(addr.ip()) {
|
|
||||||
debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
|
if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
|
||||||
// Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
|
// Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
|
||||||
let is_match = if let Some(regex) = ICON_BLACKLIST_REGEX.get(&blacklist) {
|
let is_match = if let Some(regex) = ICON_BLACKLIST_REGEX.get(&blacklist) {
|
||||||
|
@ -297,6 +288,18 @@ async fn is_domain_blacklisted(domain: &str) -> bool {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if CONFIG.icon_blacklist_non_global_ips() {
|
||||||
|
if let Ok(s) = lookup_host((domain, 0)).await {
|
||||||
|
for addr in s {
|
||||||
|
if !is_global(addr.ip()) {
|
||||||
|
debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
false
|
false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Binäre Datei nicht angezeigt.
Vorher Breite: | Höhe: | Größe: 331 B Nachher Breite: | Höhe: | Größe: 483 B |
Laden …
In neuem Issue referenzieren