Disallow local (loopback address) requests when using the gateway

This removes the possibility of some locally running javascript in a website or app requesting unvetted data via the local gateway.

src/main/java/org/qortal/api/Security.java

@@ -50,6 +50,17 @@ public abstract class Security {
 		}
 	}
 
+	public static void disallowLoopbackRequests(HttpServletRequest request) {
+		try {
+			InetAddress remoteAddr = InetAddress.getByName(request.getRemoteAddr());
+			if (remoteAddr.isLoopbackAddress()) {
+				throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Local requests not allowed");
+			}
+		} catch (UnknownHostException e) {
+			throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.UNAUTHORIZED);
+		}
+	}
+
 	public static ApiKey getApiKey(HttpServletRequest request) {
 		ApiKey apiKey = ApiService.getInstance().getApiKey();
 		if (apiKey == null) {

src/main/java/org/qortal/api/gateway/resource/GatewayResource.java

@@ -27,6 +27,8 @@ public class GatewayResource {
     @SecurityRequirement(name = "apiKey")
     public HttpServletResponse getPathByName(@PathParam("name") String name,
                                              @PathParam("path") String inPath) {
+        // Block requests from localhost, to prevent websites/apps from running javascript that fetches unvetted data
+        Security.disallowLoopbackRequests(request);
         return this.get(name, ResourceIdType.NAME, Service.WEBSITE, inPath, null, "", true, true);
     }
 
@@ -34,6 +36,8 @@ public class GatewayResource {
     @Path("{name}")
     @SecurityRequirement(name = "apiKey")
     public HttpServletResponse getIndexByName(@PathParam("name") String name) {
+        // Block requests from localhost, to prevent websites/apps from running javascript that fetches unvetted data
+        Security.disallowLoopbackRequests(request);
         return this.get(name, ResourceIdType.NAME, Service.WEBSITE, "/", null, "", true, true);
     }