1
0
Fork 1
mirror of https://example.com synced 2024-11-23 12:16:38 +09:00

fix: veiry url

This commit is contained in:
Namekuji 2023-08-18 04:57:19 -04:00
parent 36c9d5a870
commit 5520c6ff3d
No known key found for this signature in database
GPG key ID: 1D62332C07FBA532

View file

@ -23,6 +23,9 @@ type Args = {
requestHeaders?: Record<string, string> | null;
};
const PRIVATE_IP =
/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/;
export async function uploadFromUrl({
url,
user,
@ -35,7 +38,15 @@ export async function uploadFromUrl({
requestIp = null,
requestHeaders = null,
}: Args): Promise<DriveFile> {
let name = new URL(url).pathname.split("/").pop() || null;
const parsedUrl = new URL(url);
if (
process.env.NODE_ENV === "production" &&
PRIVATE_IP.test(parsedUrl.hostname)
) {
throw new Error("Private IP is not allowed");
}
let name = parsedUrl.pathname.split("/").pop() || null;
if (name == null || !DriveFiles.validateFileName(name)) {
name = null;
}