Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix redirection #694

Closed
wants to merge 5 commits into from
Closed

Fix redirection #694

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
08ef3b7
add invoked contract (#657)
Ashuaidehao Dec 15, 2021
3d1908d
add in file copyright (#679)
Jim8y Dec 15, 2021
8c3a9ab
witness rule support (#676)
Ashuaidehao Dec 15, 2021
78242fc
Fix redirection
erikzhang Mar 2, 2022
d5397e6
Fix
erikzhang Mar 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions src/OracleService/Protocols/OracleHttpsProtocol.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ namespace Neo.Plugins
{
class OracleHttpsProtocol : IOracleProtocol
{
private readonly HttpClient client = new HttpClient();
private readonly HttpClient client = new(new HttpClientHandler { MaxAutomaticRedirections = 5 });

public OracleHttpsProtocol()
{
Expand Down Expand Up @@ -50,7 +50,7 @@ public void Dispose()

if (!Settings.Default.AllowPrivateHost)
{
IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host);
IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host, cancellation);
if (entry.IsInternal())
return (OracleResponseCode.Forbidden, null);
}
Expand All @@ -72,6 +72,14 @@ public void Dispose()
return (OracleResponseCode.Error, null);
if (!Settings.Default.AllowedContentTypes.Contains(message.Content.Headers.ContentType.MediaType))
return (OracleResponseCode.ContentTypeNotSupported, null);

if (!Settings.Default.AllowPrivateHost && message.RequestMessage.RequestUri != uri)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it really works to prevent ssrf since the request is already sent in the line:

message = await client.GetAsync(uri, HttpCompletionOption.ResponseContentRead, cancellation);

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. It will leak information such as resource existence at least because this check is not the first branch.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @vang1ong7ang , I think that the redirection must be manual like #692

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, should not assume GET requests have no side effect.

{
IPHostEntry entry = await Dns.GetHostEntryAsync(uri.Host, cancellation);
erikzhang marked this conversation as resolved.
Show resolved Hide resolved
if (entry.IsInternal())
return (OracleResponseCode.Forbidden, null);
}

return (OracleResponseCode.Success, await message.Content.ReadAsStringAsync(cancellation));
}
}
Expand Down