From ce56cd2b162427ecc856673a5d09dab6b0c5cac6 Mon Sep 17 00:00:00 2001
From: CalDescent <caldescent@protonmail.com>
Date: Fri, 19 Nov 2021 13:20:53 +0000
Subject: [PATCH] Disallow local (loopback address) requests when using the
 gateway

This removes the possibility of some locally running javascript in a website or app requesting unvetted data via the local gateway.
---
 src/main/java/org/qortal/api/Security.java            | 11 +++++++++++
 .../qortal/api/gateway/resource/GatewayResource.java  |  4 ++++
 2 files changed, 15 insertions(+)

diff --git a/src/main/java/org/qortal/api/Security.java b/src/main/java/org/qortal/api/Security.java
index 6d9dc949..ea0504d9 100644
--- a/src/main/java/org/qortal/api/Security.java
+++ b/src/main/java/org/qortal/api/Security.java
@@ -50,6 +50,17 @@ public abstract class Security {
 		}
 	}
 
+	public static void disallowLoopbackRequests(HttpServletRequest request) {
+		try {
+			InetAddress remoteAddr = InetAddress.getByName(request.getRemoteAddr());
+			if (remoteAddr.isLoopbackAddress()) {
+				throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Local requests not allowed");
+			}
+		} catch (UnknownHostException e) {
+			throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.UNAUTHORIZED);
+		}
+	}
+
 	public static ApiKey getApiKey(HttpServletRequest request) {
 		ApiKey apiKey = ApiService.getInstance().getApiKey();
 		if (apiKey == null) {
diff --git a/src/main/java/org/qortal/api/gateway/resource/GatewayResource.java b/src/main/java/org/qortal/api/gateway/resource/GatewayResource.java
index deb4a691..b3509227 100644
--- a/src/main/java/org/qortal/api/gateway/resource/GatewayResource.java
+++ b/src/main/java/org/qortal/api/gateway/resource/GatewayResource.java
@@ -27,6 +27,8 @@ public class GatewayResource {
     @SecurityRequirement(name = "apiKey")
     public HttpServletResponse getPathByName(@PathParam("name") String name,
                                              @PathParam("path") String inPath) {
+        // Block requests from localhost, to prevent websites/apps from running javascript that fetches unvetted data
+        Security.disallowLoopbackRequests(request);
         return this.get(name, ResourceIdType.NAME, Service.WEBSITE, inPath, null, "", true, true);
     }
 
@@ -34,6 +36,8 @@ public class GatewayResource {
     @Path("{name}")
     @SecurityRequirement(name = "apiKey")
     public HttpServletResponse getIndexByName(@PathParam("name") String name) {
+        // Block requests from localhost, to prevent websites/apps from running javascript that fetches unvetted data
+        Security.disallowLoopbackRequests(request);
         return this.get(name, ResourceIdType.NAME, Service.WEBSITE, "/", null, "", true, true);
     }