fix: prevent SSRF via open redirect bypass in fetch-url endpoint (#2119)

rtrompier · web-flow · commit 56f38212f418 · 2026-02-18T11:25:16.000+01:00
diff --git a/src/lib/server/urlSafety.ts b/src/lib/server/urlSafety.ts
@@ -1,25 +1,68 @@
-// Shared server-side URL safety helper (exact behavior preserved)
+import { Address4, Address6 } from "ip-address";
+import { isIP } from "node:net";
+
+const UNSAFE_IPV4_SUBNETS = [
+	"0.0.0.0/8",
+	"10.0.0.0/8",
+	"100.64.0.0/10",
+	"127.0.0.0/8",
+	"169.254.0.0/16",
+	"172.16.0.0/12",
+	"192.168.0.0/16",
+].map((s) => new Address4(s));
+
+function isUnsafeIp(address: string): boolean {
+	const family = isIP(address);
+
+	if (family === 4) {
+		const addr = new Address4(address);
+		return UNSAFE_IPV4_SUBNETS.some((subnet) => addr.isInSubnet(subnet));
+	}
+
+	if (family === 6) {
+		const addr = new Address6(address);
+		// Check IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1)
+		if (addr.is4()) {
+			const v4 = addr.to4();
+			return UNSAFE_IPV4_SUBNETS.some((subnet) => v4.isInSubnet(subnet));
+		}
+		return addr.isLoopback() || addr.isLinkLocal();
+	}
+
+	return true; // Unknown format → block
+}
+
+/**
+ * Synchronous URL validation: checks protocol and hostname string.
+ */
 export function isValidUrl(urlString: string): boolean {
 	try {
 		const url = new URL(urlString.trim());
-		// Only allow HTTPS protocol
 		if (url.protocol !== "https:") {
 			return false;
 		}
-		// Prevent localhost/private IPs (basic check)
 		const hostname = url.hostname.toLowerCase();
-		if (
-			hostname === "localhost" ||
-			hostname.startsWith("127.") ||
-			hostname.startsWith("192.168.") ||
-			hostname.startsWith("172.16.") ||
-			hostname === "[::1]" ||
-			hostname === "0.0.0.0"
-		) {
+		if (hostname === "localhost") {
 			return false;
 		}
+		// If the hostname is a raw IP literal, validate it
+		const cleanHostname = hostname.replace(/^\[|]$/g, "");
+		if (isIP(cleanHostname)) {
+			return !isUnsafeIp(cleanHostname);
+		}
 		return true;
 	} catch {
 		return false;
 	}
 }
+
+/**
+ * Assert that a resolved IP address is safe (not internal/private).
+ * Throws if the IP is internal. Used in undici's custom DNS lookup
+ * to validate IPs at connection time (prevents TOCTOU DNS rebinding).
+ */
+export function assertSafeIp(address: string, hostname: string): void {
+	if (isUnsafeIp(address)) {
+		throw new Error(`Resolved IP for ${hostname} is internal (${address})`);
+	}
+}
diff --git a/src/routes/api/fetch-url/+server.ts b/src/routes/api/fetch-url/+server.ts
@@ -1,10 +1,12 @@
 import { error } from "@sveltejs/kit";
 import { logger } from "$lib/server/logger.js";
-import { fetch } from "undici";
-import { isValidUrl } from "$lib/server/urlSafety";
+import { Agent, fetch } from "undici";
+import { isValidUrl, assertSafeIp } from "$lib/server/urlSafety";
+import dns from "node:dns";
 
 const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
 const FETCH_TIMEOUT = 30000; // 30 seconds
+const MAX_REDIRECTS = 5;
 const SECURITY_HEADERS: HeadersInit = {
 	// Prevent any active content from executing if someone navigates directly to this endpoint.
 	"Content-Security-Policy":
@@ -14,6 +16,36 @@ const SECURITY_HEADERS: HeadersInit = {
 	"Referrer-Policy": "no-referrer",
 };
 
+/**
+ * Undici dispatcher that validates resolved IPs at connection time,
+ * preventing TOCTOU DNS rebinding attacks.
+ */
+const ssrfSafeAgent = new Agent({
+	connect: {
+		lookup: (hostname, options, callback) => {
+			dns.lookup(hostname, options, (err, address, family) => {
+				if (err) return callback(err, "", 4);
+				if (typeof address === "string") {
+					try {
+						assertSafeIp(address, hostname);
+					} catch (e) {
+						return callback(e as Error, "", 4);
+					}
+				} else if (Array.isArray(address)) {
+					for (const entry of address) {
+						try {
+							assertSafeIp(entry.address, hostname);
+						} catch (e) {
+							return callback(e as Error, "", 4);
+						}
+					}
+				}
+				return callback(null, address, family);
+			});
+		},
+	},
+});
+
 export async function GET({ url }) {
 	const targetUrl = url.searchParams.get("url");
 
@@ -27,62 +59,89 @@ export async function GET({ url }) {
 		throw error(400, "Invalid or unsafe URL (only HTTPS is supported)");
 	}
 
+	// Fetch with timeout, following redirects manually to validate each hop
+	const controller = new AbortController();
+	const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT);
+
+	let currentUrl = targetUrl;
+	let response: Awaited<ReturnType<typeof fetch>>;
+	let redirectCount = 0;
+
 	try {
-		// Fetch with timeout
-		const controller = new AbortController();
-		const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT);
-
-		const response = await fetch(targetUrl, {
-			signal: controller.signal,
-			headers: {
-				"User-Agent": "HuggingChat-Attachment-Fetcher/1.0",
-			},
-		}).finally(() => clearTimeout(timeoutId));
-
-		if (!response.ok) {
-			logger.error({ targetUrl, response }, "Error fetching URL. Response not ok.");
-			throw error(response.status, `Failed to fetch: ${response.statusText}`);
-		}
+		// eslint-disable-next-line no-constant-condition
+		while (true) {
+			response = await fetch(currentUrl, {
+				signal: controller.signal,
+				redirect: "manual",
+				dispatcher: ssrfSafeAgent,
+				headers: {
+					"User-Agent": "HuggingChat-Attachment-Fetcher/1.0",
+				},
+			});
 
-		// Check content length if available
-		const contentLength = response.headers.get("content-length");
-		if (contentLength && parseInt(contentLength) > MAX_FILE_SIZE) {
-			throw error(413, "File too large (max 10MB)");
-		}
+			if (response.status >= 300 && response.status < 400) {
+				redirectCount++;
+				if (redirectCount > MAX_REDIRECTS) {
+					throw error(502, "Too many redirects");
+				}
 
-		// Stream the response back
-		const originalContentType = response.headers.get("content-type") || "application/octet-stream";
-		// Send as text/plain for safety; expose the original type via secondary header
-		const safeContentType = "text/plain; charset=utf-8";
-		const contentDisposition = response.headers.get("content-disposition");
-
-		const headers: HeadersInit = {
-			"Content-Type": safeContentType,
-			"X-Forwarded-Content-Type": originalContentType,
-			"Cache-Control": "public, max-age=3600",
-			...(contentDisposition ? { "Content-Disposition": contentDisposition } : {}),
-			...SECURITY_HEADERS,
-		};
-
-		// Get the body as array buffer to check size
-		const arrayBuffer = await response.arrayBuffer();
-
-		if (arrayBuffer.byteLength > MAX_FILE_SIZE) {
-			throw error(413, "File too large (max 10MB)");
-		}
+				const location = response.headers.get("location");
+				if (!location) {
+					throw error(502, "Redirect without Location header");
+				}
+
+				// Resolve relative redirects against the current URL
+				const redirectUrl = new URL(location, currentUrl).toString();
 
-		return new Response(arrayBuffer, { headers });
-	} catch (err) {
-		if (err instanceof Error) {
-			if (err.name === "AbortError") {
-				logger.error(err, "Request timeout");
-				throw error(504, "Request timeout");
+				if (!isValidUrl(redirectUrl)) {
+					logger.warn(
+						{ redirectUrl, originalUrl: targetUrl },
+						"Redirect to unsafe URL blocked (SSRF)"
+					);
+					throw error(403, "Redirect target is not allowed");
+				}
+
+				currentUrl = redirectUrl;
+				continue;
 			}
 
-			logger.error(err, "Error fetching URL");
-			throw error(500, `Failed to fetch URL: ${err.message}`);
+			break;
 		}
-		logger.error(err, "Error fetching URL");
-		throw error(500, "Failed to fetch URL.");
+	} finally {
+		clearTimeout(timeoutId);
+	}
+
+	if (!response.ok) {
+		logger.error({ targetUrl, response }, "Error fetching URL. Response not ok.");
+		throw error(response.status, `Failed to fetch: ${response.statusText}`);
+	}
+
+	// Check content length if available
+	const contentLength = response.headers.get("content-length");
+	if (contentLength && parseInt(contentLength) > MAX_FILE_SIZE) {
+		throw error(413, "File too large (max 10MB)");
 	}
+
+	// Stream the response back
+	const originalContentType = response.headers.get("content-type") || "application/octet-stream";
+	// Send as text/plain for safety; expose the original type via secondary header
+	const safeContentType = "text/plain; charset=utf-8";
+	const contentDisposition = response.headers.get("content-disposition");
+
+	const headers: HeadersInit = {
+		"Content-Type": safeContentType,
+		"X-Forwarded-Content-Type": originalContentType,
+		"Cache-Control": "public, max-age=3600",
+		...(contentDisposition ? { "Content-Disposition": contentDisposition } : {}),
+		...SECURITY_HEADERS,
+	};
+
+	// Get the body as array buffer to check size
+	const arrayBuffer = await response.arrayBuffer();
+
+	if (arrayBuffer.byteLength > MAX_FILE_SIZE) {
+		throw error(413, "File too large (max 10MB)");
+	}
+
+	return new Response(arrayBuffer, { headers });
 }
