From 5520c6ff3d23ea5aea58c87b924b260eef82cefa Mon Sep 17 00:00:00 2001
From: Namekuji <nmkj@waah.day>
Date: Fri, 18 Aug 2023 04:57:19 -0400
Subject: [PATCH] fix: veiry url

---
 .../backend/src/services/drive/upload-from-url.ts   | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/services/drive/upload-from-url.ts b/packages/backend/src/services/drive/upload-from-url.ts
index 9d71757e3..e3ee875c5 100644
--- a/packages/backend/src/services/drive/upload-from-url.ts
+++ b/packages/backend/src/services/drive/upload-from-url.ts
@@ -23,6 +23,9 @@ type Args = {
 	requestHeaders?: Record<string, string> | null;
 };
 
+const PRIVATE_IP =
+	/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/;
+
 export async function uploadFromUrl({
 	url,
 	user,
@@ -35,7 +38,15 @@ export async function uploadFromUrl({
 	requestIp = null,
 	requestHeaders = null,
 }: Args): Promise<DriveFile> {
-	let name = new URL(url).pathname.split("/").pop() || null;
+	const parsedUrl = new URL(url);
+	if (
+		process.env.NODE_ENV === "production" &&
+		PRIVATE_IP.test(parsedUrl.hostname)
+	) {
+		throw new Error("Private IP is not allowed");
+	}
+
+	let name = parsedUrl.pathname.split("/").pop() || null;
 	if (name == null || !DriveFiles.validateFileName(name)) {
 		name = null;
 	}