Talon/chat_grid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden origin and media URL security

Browse Source
This commit is contained in:
Jage9
2026-03-08 20:51:50 -04:00
parent 3d69bbcea2
commit 78bc931cce
12 changed files with 378 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
server/app/network_security.py Normal file
View File

@@ -0,0 +1,165 @@
"""Helpers for browser-origin policy and SSRF-safe outbound URL handling."""
from __future__ import annotations
import ipaddress
import socket
from typing import Iterable
from urllib.error import HTTPError
from urllib.parse import urljoin, urlsplit, urlunsplit
from urllib.request import HTTPRedirectHandler, Request, build_opener
IpAddress = ipaddress.IPv4Address | ipaddress.IPv6Address
class _NoRedirectHandler(HTTPRedirectHandler):
"""Disable automatic redirects so each hop can be revalidated."""
def redirect_request(self, req, fp, code, msg, headers, newurl): # type: ignore[override]
"""Return None so urllib surfaces redirects as HTTPError objects."""
return None
_NO_REDIRECT_OPENER = build_opener(_NoRedirectHandler)
def _format_host(host: str) -> str:
"""Return one hostname/IP suitable for URL netloc reconstruction."""
if ":" in host and not host.startswith("["):
return f"[{host}]"
return host
def _normalize_netloc(parts) -> str:
"""Rebuild one normalized netloc from parsed URL parts."""
if not parts.hostname:
raise ValueError("host is required")
netloc = _format_host(parts.hostname.lower())
if parts.port is not None:
netloc = f"{netloc}:{parts.port}"
return netloc
def normalize_origin(value: str, *, field_name: str = "origin") -> str:
"""Validate and normalize one browser origin string."""
text = value.strip()
if not text:
raise ValueError(f"{field_name} must not be empty.")
try:
parts = urlsplit(text)
netloc = _normalize_netloc(parts)
except ValueError as exc:
raise ValueError(f"{field_name} must be a valid http/https origin.") from exc
scheme = parts.scheme.lower()
if scheme not in {"http", "https"}:
raise ValueError(f"{field_name} must use http or https.")
if parts.username is not None or parts.password is not None:
raise ValueError(f"{field_name} must not include credentials.")
if parts.path not in {"", "/"} or parts.query or parts.fragment:
raise ValueError(f"{field_name} must not include path, query, or fragment.")
return urlunsplit((scheme, netloc, "", "", ""))
def _resolve_host_ips(host: str) -> set[IpAddress]:
"""Resolve one hostname or IP literal to concrete IP addresses."""
try:
return {ipaddress.ip_address(host)}
except ValueError:
pass
resolved: set[IpAddress] = set()
try:
infos = socket.getaddrinfo(host, None, type=socket.SOCK_STREAM)
except socket.gaierror as exc:
raise ValueError("DNS resolution failed.") from exc
for family, _type, _proto, _canonname, sockaddr in infos:
if family == socket.AF_INET:
resolved.add(ipaddress.ip_address(sockaddr[0]))
elif family == socket.AF_INET6:
resolved.add(ipaddress.ip_address(sockaddr[0]))
if not resolved:
raise ValueError("DNS resolution failed.")
return resolved
def _ensure_public_ips(addresses: Iterable[IpAddress], *, field_name: str) -> None:
"""Reject non-public IP addresses for SSRF-sensitive outbound requests."""
for address in addresses:
if not address.is_global:
raise ValueError(f"{field_name} must resolve to a public IP address.")
def validate_public_media_url(value: str, *, field_name: str = "url") -> str:
"""Validate and normalize one public http/https media URL."""
text = value.strip()
if not text:
return ""
try:
parts = urlsplit(text)
netloc = _normalize_netloc(parts)
except ValueError as exc:
raise ValueError(f"{field_name} must be a valid http/https URL.") from exc
scheme = parts.scheme.lower()
if scheme not in {"http", "https"}:
raise ValueError(f"{field_name} must use http or https.")
if parts.username is not None or parts.password is not None:
raise ValueError(f"{field_name} must not include credentials.")
_ensure_public_ips(_resolve_host_ips(parts.hostname or ""), field_name=field_name)
return urlunsplit((scheme, netloc, parts.path, parts.query, parts.fragment))
def validate_media_reference(value: str, *, field_name: str = "url") -> str:
"""Validate one media reference as either a public URL or a site-relative path."""
text = value.strip()
if not text:
return ""
parts = urlsplit(text)
if parts.scheme:
return validate_public_media_url(text, field_name=field_name)
if parts.netloc:
raise ValueError(f"{field_name} must use http or https when specifying a host.")
if not text.startswith("/"):
raise ValueError(f"{field_name} must be an absolute http/https URL or site-relative path.")
return text
def open_validated_public_url(
url: str,
*,
headers: dict[str, str] | None = None,
timeout: float = 6.0,
max_redirects: int = 5,
):
"""Open one public media URL while revalidating each redirect target."""
current_url = validate_public_media_url(url)
request_headers = headers or {}
for redirect_count in range(max_redirects + 1):
request = Request(current_url, headers=request_headers)
try:
return _NO_REDIRECT_OPENER.open(request, timeout=timeout)
except HTTPError as exc:
try:
if 300 <= exc.code < 400:
if redirect_count >= max_redirects:
raise ValueError("Too many redirects.")
location = str(exc.headers.get("Location") or "").strip()
if not location:
raise ValueError("Redirect location missing or invalid.")
current_url = validate_public_media_url(urljoin(current_url, location))
continue
raise
finally:
exc.close()
raise ValueError("Too many redirects.")