From 0d2399d485e7933ba08dc354200e545fa03f3d90 Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Mon, 14 Nov 2022 17:25:44 +0100
Subject: [PATCH] Prevent DNS leak when icon regex is configured

When a icon blacklist regex was configured to not check for a domain, it
still did a DNS lookup first. This could cause a DNS leakage for these
regex blocked domains.

This PR resolves this issue by first checking the regex, and afterwards
the other checks.

Fixes #2909
---
 src/api/icons.rs                    |  25 ++++++++++++++-----------
 src/static/images/fallback-icon.png | Bin 331 -> 483 bytes
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/api/icons.rs b/src/api/icons.rs
index cea3ad56..a69b7359 100644
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@@ -262,17 +262,8 @@ use cached::proc_macro::cached;
 #[cached(key = "String", convert = r#"{ domain.to_string() }"#, size = 16, time = 60)]
 #[allow(clippy::unused_async)] // This is needed because cached causes a false-positive here.
 async fn is_domain_blacklisted(domain: &str) -> bool {
-    if CONFIG.icon_blacklist_non_global_ips() {
-        if let Ok(s) = lookup_host((domain, 0)).await {
-            for addr in s {
-                if !is_global(addr.ip()) {
-                    debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
-                    return true;
-                }
-            }
-        }
-    }
-
+    // First check the blacklist regex if there is a match.
+    // This prevents the blocked domain(s) from being leaked via a DNS lookup.
     if let Some(blacklist) = CONFIG.icon_blacklist_regex() {
         // Use the pre-generate Regex stored in a Lazy HashMap if there's one, else generate it.
         let is_match = if let Some(regex) = ICON_BLACKLIST_REGEX.get(&blacklist) {
@@ -297,6 +288,18 @@ async fn is_domain_blacklisted(domain: &str) -> bool {
             return true;
         }
     }
+
+    if CONFIG.icon_blacklist_non_global_ips() {
+        if let Ok(s) = lookup_host((domain, 0)).await {
+            for addr in s {
+                if !is_global(addr.ip()) {
+                    debug!("IP {} for domain '{}' is not a global IP!", addr.ip(), domain);
+                    return true;
+                }
+            }
+        }
+    }
+
     false
 }
 
diff --git a/src/static/images/fallback-icon.png b/src/static/images/fallback-icon.png
index e30b532e65a0304622ad2938bee02fcbc2f89987..7fb0b454201feacfe6906067231d545044e43b53 100644
GIT binary patch
literal 483
zcmV<90UZ8`P)<h;3K|Lk000e1NJLTq000vJ000vR1ONa4*jfHZ00051Nkl<Zc-nQ6
z1FRfj6oqeXn^B`SD1+LzZCi7{`&>I#ZQHhO+YW2@&+I(E{dUJE=TZ`(G{y;D^MhCJ
zYEh*mB@?ph9KLgc@!G&DStmYooo_m8LRLv+d|}RVJEEEd(33$TUM=o&W_;lUCnx$z
zO>vCLA6Y~sq5wxUmx$)#u$~@~#h1Bo53D|0G(z{Vj%Dn(ZJZ*Hh%da$%uwRraZXl&
zCKIv;{uw)DkN~a6H&+bC1qnlk47%Dme>8*>EOvPWSQ$n!U_$!9DNg%|*f@>}uWczu
z#uaqwXVZDMT-)0ijS~mubgek7KCgryR>i8Y)f%&(Mt)}5ZCj`<HrV&9%n#v}wifYf
zFg~h85UQ68<;z)T(?qlZ?}ZbnB!k%zWfOAUF(G{@H{-G-!}`-*0@&!rcv52|subV6
zT9O3K<#G!^F@9=E5z$#Zo{(D{jMY8tW*?msWL^2k>|myxv7?sHYp$~-8Kd)Z*p83M
zmarjuntNO)PqG~AbC<Kp-i^q@Ouli}JepY*uesrG&BTG3BqdR$436=N@Ai}<jCGrq
Zz<-W2!Iu>fs;>Y5002ovPDHLkV1g04+9&`3

literal 331
zcmV-R0kr;!P)<h;3K|Lk000e1NJLTq000pH000pP1ONa4kz|i?0003JNkl<Zc-m!;
z0Yr0Q6o%jJ|Jkjgk{Ol6C`m*KlmQT;05ULG3V;VffPh4p5CBZT2#5qgkc=b=S6o9v
zGIO%e-F4LSz&Yo89p}>k@@&$eP0S64l=K_sN$BuK6XOfRIOm@a>|#`zV3>$SuCU-E
zQMLhNNdZQ}mLg4h7}w;&4I~^WgDEch53KQxu_K8J#uJg;;S%H2>0%`0#3hDNkUZ3|
z)RKrpF(U^@SmwIYFTOIS06B_$xJX4jq-Bc*iBq~XFz2#3&YDm1Y*5AUj*7Bt@7bor
zt()Ab4=v2u=8Re9(v!>TLqviPy@%-#G5Z?8B+o8VCr^bA$ish5vPevi7gqEa3aqk6
djV-3-_yJsJ=ebCXRj>d6002ovPDHLkV1l<tjrjlo