fix: disable redirects to guard against possible SSRFs

scloud-swebz · Apr 25, 2023 · f40135d · f40135d
1 parent b8fe446
commit f40135d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/activitypub/webfinger/webfinger.go b/activitypub/webfinger/webfinger.go
@@ -29,7 +29,14 @@ func GetWebfingerLinks(account string) ([]map[string]interface{}, error) {
 	query.Add("resource", fmt.Sprintf("acct:%s", account))
 	requestURL.RawQuery = query.Encode()
 
-	response, err := http.DefaultClient.Get(requestURL.String())
+	// Do not support redirects.
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	response, err := client.Get(requestURL.String())
 	if err != nil {
 		return nil, err
 	}

diff --git a/auth/indieauth/client.go b/auth/indieauth/client.go
@@ -80,7 +80,13 @@ func HandleCallbackCode(code, state string) (*Request, *Response, error) {
 	data.Set("redirect_uri", request.Callback.String())
 	data.Set("code_verifier", request.CodeVerifier)
 
-	client := &http.Client{}
+	// Do not support redirects.
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
 	r, err := http.NewRequest("POST", request.Endpoint.String(), strings.NewReader(data.Encode())) // URL-encoded payload
 	if err != nil {
 		return nil, nil, err