nextcloud /
server
@@ -14,132 +14,132 @@ |
||
| 14 | 14 | |
| 15 | 15 | class DnsPinMiddleware { |
| 16 | 16 | |
| 17 | - public function __construct( |
|
| 18 | - private NegativeDnsCache $negativeDnsCache, |
|
| 19 | - private IpAddressClassifier $ipAddressClassifier, |
|
| 20 | - ) { |
|
| 21 | - } |
|
| 22 | - |
|
| 23 | - /** |
|
| 24 | - * Fetch soa record for a target |
|
| 25 | - */ |
|
| 26 | - private function soaRecord(string $target): ?array { |
|
| 27 | - $labels = explode('.', $target); |
|
| 28 | - |
|
| 29 | - $top = count($labels) >= 2 ? array_pop($labels) : ''; |
|
| 30 | - $second = array_pop($labels); |
|
| 31 | - |
|
| 32 | - $hostname = $second . '.' . $top; |
|
| 33 | - $responses = $this->dnsGetRecord($hostname, DNS_SOA); |
|
| 34 | - |
|
| 35 | - if ($responses === false || count($responses) === 0) { |
|
| 36 | - return null; |
|
| 37 | - } |
|
| 38 | - |
|
| 39 | - return reset($responses); |
|
| 40 | - } |
|
| 41 | - |
|
| 42 | - private function dnsResolve(string $target, int $recursionCount) : array { |
|
| 43 | - if ($recursionCount >= 10) { |
|
| 44 | - return []; |
|
| 45 | - } |
|
| 46 | - |
|
| 47 | - $recursionCount++; |
|
| 48 | - $targetIps = []; |
|
| 49 | - |
|
| 50 | - $soaDnsEntry = $this->soaRecord($target); |
|
| 51 | - $dnsNegativeTtl = $soaDnsEntry['minimum-ttl'] ?? null; |
|
| 52 | - $canHaveCnameRecord = true; |
|
| 53 | - |
|
| 54 | - $dnsTypes = \defined('AF_INET6') || @inet_pton('::1') |
|
| 55 | - ? [DNS_A, DNS_AAAA, DNS_CNAME] |
|
| 56 | - : [DNS_A, DNS_CNAME]; |
|
| 57 | - foreach ($dnsTypes as $dnsType) { |
|
| 58 | - if ($canHaveCnameRecord === false && $dnsType === DNS_CNAME) { |
|
| 59 | - continue; |
|
| 60 | - } |
|
| 61 | - |
|
| 62 | - if ($this->negativeDnsCache->isNegativeCached($target, $dnsType)) { |
|
| 63 | - continue; |
|
| 64 | - } |
|
| 65 | - |
|
| 66 | - $dnsResponses = $this->dnsGetRecord($target, $dnsType); |
|
| 67 | - if ($dnsResponses !== false && count($dnsResponses) > 0) { |
|
| 68 | - foreach ($dnsResponses as $dnsResponse) { |
|
| 69 | - if (isset($dnsResponse['ip'])) { |
|
| 70 | - $targetIps[] = $dnsResponse['ip']; |
|
| 71 | - $canHaveCnameRecord = false; |
|
| 72 | - } elseif (isset($dnsResponse['ipv6'])) { |
|
| 73 | - $targetIps[] = $dnsResponse['ipv6']; |
|
| 74 | - $canHaveCnameRecord = false; |
|
| 75 | - } elseif (isset($dnsResponse['target']) && $canHaveCnameRecord) { |
|
| 76 | - $targetIps = array_merge($targetIps, $this->dnsResolve($dnsResponse['target'], $recursionCount)); |
|
| 77 | - } |
|
| 78 | - } |
|
| 79 | - } elseif ($dnsNegativeTtl !== null) { |
|
| 80 | - $this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl); |
|
| 81 | - } |
|
| 82 | - } |
|
| 83 | - |
|
| 84 | - return $targetIps; |
|
| 85 | - } |
|
| 86 | - |
|
| 87 | - /** |
|
| 88 | - * Wrapper for dns_get_record |
|
| 89 | - */ |
|
| 90 | - protected function dnsGetRecord(string $hostname, int $type): array|false { |
|
| 91 | - return \dns_get_record($hostname, $type); |
|
| 92 | - } |
|
| 93 | - |
|
| 94 | - public function addDnsPinning(): callable { |
|
| 95 | - return function (callable $handler) { |
|
| 96 | - return function ( |
|
| 97 | - RequestInterface $request, |
|
| 98 | - array $options, |
|
| 99 | - ) use ($handler) { |
|
| 100 | - if ($options['nextcloud']['allow_local_address'] === true) { |
|
| 101 | - return $handler($request, $options); |
|
| 102 | - } |
|
| 103 | - |
|
| 104 | - $hostName = $request->getUri()->getHost(); |
|
| 105 | - $port = $request->getUri()->getPort(); |
|
| 106 | - |
|
| 107 | - $ports = [ |
|
| 108 | - '80', |
|
| 109 | - '443', |
|
| 110 | - ]; |
|
| 111 | - |
|
| 112 | - if ($port !== null) { |
|
| 113 | - $ports[] = (string)$port; |
|
| 114 | - } |
|
| 115 | - |
|
| 116 | - $targetIps = $this->dnsResolve(idn_to_utf8($hostName), 0); |
|
| 117 | - |
|
| 118 | - if (empty($targetIps)) { |
|
| 119 | - throw new LocalServerException('No DNS record found for ' . $hostName); |
|
| 120 | - } |
|
| 121 | - |
|
| 122 | - $curlResolves = []; |
|
| 123 | - |
|
| 124 | - foreach ($ports as $port) { |
|
| 125 | - $curlResolves["$hostName:$port"] = []; |
|
| 126 | - |
|
| 127 | - foreach ($targetIps as $ip) { |
|
| 128 | - if ($this->ipAddressClassifier->isLocalAddress($ip)) { |
|
| 129 | - // TODO: continue with all non-local IPs? |
|
| 130 | - throw new LocalServerException('Host "' . $ip . '" (' . $hostName . ':' . $port . ') violates local access rules'); |
|
| 131 | - } |
|
| 132 | - $curlResolves["$hostName:$port"][] = $ip; |
|
| 133 | - } |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - // Coalesce the per-host:port ips back into a comma separated list |
|
| 137 | - foreach ($curlResolves as $hostport => $ips) { |
|
| 138 | - $options['curl'][CURLOPT_RESOLVE][] = "$hostport:" . implode(',', $ips); |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - return $handler($request, $options); |
|
| 142 | - }; |
|
| 143 | - }; |
|
| 144 | - } |
|
| 17 | + public function __construct( |
|
| 18 | + private NegativeDnsCache $negativeDnsCache, |
|
| 19 | + private IpAddressClassifier $ipAddressClassifier, |
|
| 20 | + ) { |
|
| 21 | + } |
|
| 22 | + |
|
| 23 | + /** |
|
| 24 | + * Fetch soa record for a target |
|
| 25 | + */ |
|
| 26 | + private function soaRecord(string $target): ?array { |
|
| 27 | + $labels = explode('.', $target); |
|
| 28 | + |
|
| 29 | + $top = count($labels) >= 2 ? array_pop($labels) : ''; |
|
| 30 | + $second = array_pop($labels); |
|
| 31 | + |
|
| 32 | + $hostname = $second . '.' . $top; |
|
| 33 | + $responses = $this->dnsGetRecord($hostname, DNS_SOA); |
|
| 34 | + |
|
| 35 | + if ($responses === false || count($responses) === 0) { |
|
| 36 | + return null; |
|
| 37 | + } |
|
| 38 | + |
|
| 39 | + return reset($responses); |
|
| 40 | + } |
|
| 41 | + |
|
| 42 | + private function dnsResolve(string $target, int $recursionCount) : array { |
|
| 43 | + if ($recursionCount >= 10) { |
|
| 44 | + return []; |
|
| 45 | + } |
|
| 46 | + |
|
| 47 | + $recursionCount++; |
|
| 48 | + $targetIps = []; |
|
| 49 | + |
|
| 50 | + $soaDnsEntry = $this->soaRecord($target); |
|
| 51 | + $dnsNegativeTtl = $soaDnsEntry['minimum-ttl'] ?? null; |
|
| 52 | + $canHaveCnameRecord = true; |
|
| 53 | + |
|
| 54 | + $dnsTypes = \defined('AF_INET6') || @inet_pton('::1') |
|
| 55 | + ? [DNS_A, DNS_AAAA, DNS_CNAME] |
|
| 56 | + : [DNS_A, DNS_CNAME]; |
|
| 57 | + foreach ($dnsTypes as $dnsType) { |
|
| 58 | + if ($canHaveCnameRecord === false && $dnsType === DNS_CNAME) { |
|
| 59 | + continue; |
|
| 60 | + } |
|
| 61 | + |
|
| 62 | + if ($this->negativeDnsCache->isNegativeCached($target, $dnsType)) { |
|
| 63 | + continue; |
|
| 64 | + } |
|
| 65 | + |
|
| 66 | + $dnsResponses = $this->dnsGetRecord($target, $dnsType); |
|
| 67 | + if ($dnsResponses !== false && count($dnsResponses) > 0) { |
|
| 68 | + foreach ($dnsResponses as $dnsResponse) { |
|
| 69 | + if (isset($dnsResponse['ip'])) { |
|
| 70 | + $targetIps[] = $dnsResponse['ip']; |
|
| 71 | + $canHaveCnameRecord = false; |
|
| 72 | + } elseif (isset($dnsResponse['ipv6'])) { |
|
| 73 | + $targetIps[] = $dnsResponse['ipv6']; |
|
| 74 | + $canHaveCnameRecord = false; |
|
| 75 | + } elseif (isset($dnsResponse['target']) && $canHaveCnameRecord) { |
|
| 76 | + $targetIps = array_merge($targetIps, $this->dnsResolve($dnsResponse['target'], $recursionCount)); |
|
| 77 | + } |
|
| 78 | + } |
|
| 79 | + } elseif ($dnsNegativeTtl !== null) { |
|
| 80 | + $this->negativeDnsCache->setNegativeCacheForDnsType($target, $dnsType, $dnsNegativeTtl); |
|
| 81 | + } |
|
| 82 | + } |
|
| 83 | + |
|
| 84 | + return $targetIps; |
|
| 85 | + } |
|
| 86 | + |
|
| 87 | + /** |
|
| 88 | + * Wrapper for dns_get_record |
|
| 89 | + */ |
|
| 90 | + protected function dnsGetRecord(string $hostname, int $type): array|false { |
|
| 91 | + return \dns_get_record($hostname, $type); |
|
| 92 | + } |
|
| 93 | + |
|
| 94 | + public function addDnsPinning(): callable { |
|
| 95 | + return function (callable $handler) { |
|
| 96 | + return function ( |
|
| 97 | + RequestInterface $request, |
|
| 98 | + array $options, |
|
| 99 | + ) use ($handler) { |
|
| 100 | + if ($options['nextcloud']['allow_local_address'] === true) { |
|
| 101 | + return $handler($request, $options); |
|
| 102 | + } |
|
| 103 | + |
|
| 104 | + $hostName = $request->getUri()->getHost(); |
|
| 105 | + $port = $request->getUri()->getPort(); |
|
| 106 | + |
|
| 107 | + $ports = [ |
|
| 108 | + '80', |
|
| 109 | + '443', |
|
| 110 | + ]; |
|
| 111 | + |
|
| 112 | + if ($port !== null) { |
|
| 113 | + $ports[] = (string)$port; |
|
| 114 | + } |
|
| 115 | + |
|
| 116 | + $targetIps = $this->dnsResolve(idn_to_utf8($hostName), 0); |
|
| 117 | + |
|
| 118 | + if (empty($targetIps)) { |
|
| 119 | + throw new LocalServerException('No DNS record found for ' . $hostName); |
|
| 120 | + } |
|
| 121 | + |
|
| 122 | + $curlResolves = []; |
|
| 123 | + |
|
| 124 | + foreach ($ports as $port) { |
|
| 125 | + $curlResolves["$hostName:$port"] = []; |
|
| 126 | + |
|
| 127 | + foreach ($targetIps as $ip) { |
|
| 128 | + if ($this->ipAddressClassifier->isLocalAddress($ip)) { |
|
| 129 | + // TODO: continue with all non-local IPs? |
|
| 130 | + throw new LocalServerException('Host "' . $ip . '" (' . $hostName . ':' . $port . ') violates local access rules'); |
|
| 131 | + } |
|
| 132 | + $curlResolves["$hostName:$port"][] = $ip; |
|
| 133 | + } |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + // Coalesce the per-host:port ips back into a comma separated list |
|
| 137 | + foreach ($curlResolves as $hostport => $ips) { |
|
| 138 | + $options['curl'][CURLOPT_RESOLVE][] = "$hostport:" . implode(',', $ips); |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + return $handler($request, $options); |
|
| 142 | + }; |
|
| 143 | + }; |
|
| 144 | + } |
|
| 145 | 145 | } |
