noodlemagazine fix

2026-03-20 21:05:18 +00:00
parent 46cd348148
commit 259a07686d
2 changed files with 63 additions and 9 deletions
--- a/src/proxies/noodlemagazine.rs
+++ b/src/proxies/noodlemagazine.rs
@@ -4,6 +4,7 @@ use ntex::{
    web::{self, HttpRequest, error},
 };
 use serde_json::Value;
+use std::net::IpAddr;
 use url::Url;
 use wreq::Version;

@@ -110,6 +111,31 @@ impl NoodlemagazineProxy {
            .any(|ext| path.ends_with(ext))
    }

+    fn is_disallowed_thumb_host(host: &str) -> bool {
+        if host.eq_ignore_ascii_case("localhost") {
+            return true;
+        }
+
+        match host.parse::<IpAddr>() {
+            Ok(IpAddr::V4(ip)) => {
+                ip.is_private()
+                    || ip.is_loopback()
+                    || ip.is_link_local()
+                    || ip.is_broadcast()
+                    || ip.is_documentation()
+                    || ip.is_unspecified()
+            }
+            Ok(IpAddr::V6(ip)) => {
+                ip.is_loopback()
+                    || ip.is_unspecified()
+                    || ip.is_multicast()
+                    || ip.is_unique_local()
+                    || ip.is_unicast_link_local()
+            }
+            Err(_) => false,
+        }
+    }
+
    fn is_allowed_thumb_url(url: &str) -> bool {
        let Some(url) = Url::parse(url).ok() else {
            return false;
@@ -121,8 +147,7 @@ impl NoodlemagazineProxy {
            return false;
        };

-        (host == "noodlemagazine.com" || host.ends_with(".noodlemagazine.com"))
-            && Self::has_allowed_image_extension(url.path())
+        !Self::is_disallowed_thumb_host(host) && Self::has_allowed_image_extension(url.path())
    }

    fn is_binary_image_content_type(content_type: &str) -> bool {
@@ -388,18 +413,18 @@ mod tests {
    }

    #[test]
-    fn allows_only_noodlemagazine_image_thumbs() {
+    fn allows_https_image_thumbs_but_rejects_local_or_non_images() {
        assert!(NoodlemagazineProxy::is_allowed_thumb_url(
            "https://noodlemagazine.com/thumbs/example.webp"
        ));
        assert!(NoodlemagazineProxy::is_allowed_thumb_url(
-            "https://img.noodlemagazine.com/previews/example.jpg"
+            "https://cdn.example/previews/example.jpg"
        ));
        assert!(!NoodlemagazineProxy::is_allowed_thumb_url(
            "https://noodlemagazine.com/watch/-123_456"
        ));
        assert!(!NoodlemagazineProxy::is_allowed_thumb_url(
-            "https://cdn.example/thumb.jpg"
+            "https://localhost/thumb.jpg"
        ));
    }