Filter out uncommon URLs where the hostname is an IPv4 address.

whotracksme · Sep 30, 2024 · ddbcd91 · ddbcd91
1 parent 1d30dbc
commit ddbcd91
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/reporting/src/sanitizer.js b/reporting/src/sanitizer.js
@@ -11,7 +11,6 @@
 
 import logger from './logger';
 import { isHash } from './hash-detector';
-//import { isHash } from './hash-detector-new';
 
 function isCharNumber(char) {
   const code = char.charCodeAt(0);
@@ -221,11 +220,17 @@ function tryParseUrl(url) {
   }
 }
 
-function checkForInternalIp(hostname) {
+function isPrivateHostname(hostname) {
   // TODO: this could be extended to detect more cases
   return hostname === 'localhost' || hostname === '127.0.0.1';
 }
 
+// Note: This is a conservative implementation that detects all valid IPv4 addresses.
+// It may produce false-positives, so consider this if using for other purposes.
+function looksLikeIPv4Address(hostname) {
+  return /^[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}$/.test(hostname);
+}
+
 function looksLikeSafeUrlParameter(key, value) {
   return value.length < 18 || /^[a-z-_]+$/.test(value);
 }
@@ -346,9 +351,12 @@ export function sanitizeUrl(url, options = {}) {
   if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
     return drop('URL has uncommon protocol');
   }
-  if (checkForInternalIp(parsedUrl.hostname)) {
+  if (isPrivateHostname(parsedUrl.hostname)) {
     return drop('URL is not public');
   }
+  if (looksLikeIPv4Address(parsedUrl.hostname)) {
+    return drop('hostname is an ipv4 address');
+  }
   if (urlLeaksExtensionId(url)) {
     return drop('URL leaks extension ID');
   }

diff --git a/reporting/test/sanitizer.spec.js b/reporting/test/sanitizer.spec.js
@@ -383,6 +383,22 @@ describe('#sanitizeUrl', function () {
     });
   });
 
+  describe('should drop URls where IP addresses are used as hostnames', function () {
+    [
+      'http://182.180.189.84/',
+      'http://192.168.0.119/',
+      'http://85.11.187.84/saff/index.php?topic=3221141.0',
+      'http://10.234.0.1/',
+      'https://10.234.0.1/',
+      'http://0.0.0.0/',
+      'http://1.1.1.1/',
+    ].forEach((url) => {
+      it(`should drop URL: ${url}`, function () {
+        shouldBeDropped(url);
+      });
+    });
+  });
+
   describe('should drop URLs with non-standard HTTP ports', function () {
     ['http://myserver.test:1234/', 'https://www.myserver.test:5678/'].forEach(
       (url) => {