Extra checks for nodeinfo calling domain

2022-01-30 17:21:28 +00:00 · 2022-01-30 17:21:28 +00:00 · 10696e12c1
parent ee49df6805
commit 10696e12c1
2 changed files with 27 additions and 5 deletions
--- a/daemon.py
+++ b/daemon.py
@ -245,6 +245,7 @@ from languages import set_actor_languages
 from languages import get_understood_languages
 from like import update_likes_collection
 from reaction import update_reaction_collection
+from utils import local_network_host
 from utils import undo_reaction_collection_entry
 from utils import get_new_post_endpoints
 from utils import has_actor
@ -1135,6 +1136,9 @@ class PubServer(BaseHTTPRequestHandler):
    def _nodeinfo(self, ua_str: str, calling_domain: str,
                  httpPrefix: str, calling_site_timeout: int,
                  debug: bool) -> bool:
+        if self.path.startswith('/nodeinfo/1.0'):
+            self._400()
+            return True
        if not self.path.startswith('/nodeinfo/2.0'):
            return False
        if calling_domain == self.server.domain_full:
@ -1142,14 +1146,32 @@ class PubServer(BaseHTTPRequestHandler):
            return True
        if self.server.nodeinfo_is_active:
            print('nodeinfo is busy')
-            self._404()
+            self._503()
            return True
        self.server.nodeinfo_is_active = True
        # is this a real website making the call ?
-        if not debug:
+        if not debug and not self.server.unit_test:
+            # Does calling_domain look like a domain?
+            if ' ' in calling_domain or \
+               ';' in calling_domain or \
+               '.' not in calling_domain:
+                print('nodeinfo calling domain does not look like a domain ' +
+                      calling_domain)
+                self._400()
+                self.server.nodeinfo_is_active = False
+                return True
+            if not self.server.allow_local_network_access:
+                if local_network_host(calling_domain):
+                    print('nodeinfo calling domain is from the ' +
+                          'local network ' + calling_domain)
+                    self._400()
+                    self.server.nodeinfo_is_active = False
+                    return True
            if not site_is_active(httpPrefix + '://' + calling_domain,
                                  calling_site_timeout):
-                self._404()
+                print('nodeinfo calling domain is not active ' +
+                      calling_domain)
+                self._400()
                self.server.nodeinfo_is_active = False
                return True
        if self.server.debug:
--- a/utils.py
+++ b/utils.py
@ -179,7 +179,7 @@ def get_sha_512(msg: str):
    return digest.finalize()


-def _local_network_host(host: str) -> bool:
+def local_network_host(host: str) -> bool:
    """Returns true if the given host is on the local network
    """
    if host.startswith('localhost') or \
@ -196,7 +196,7 @@ def decoded_host(host: str) -> str:
    """
    if ':' not in host:
        # eg. mydomain:8000
-        if not _local_network_host(host):
+        if not local_network_host(host):
            if not host.endswith('.onion'):
                if not host.endswith('.i2p'):
                    return idna.decode(host)