Harden image URL validation against followed redirects

2026-02-07 00:46:03 +01:00
parent 714914bb33
commit b86343a59d
3 changed files with 47 additions and 1 deletions
--- a/Endpoints/EndpointHelpers.cs
+++ b/Endpoints/EndpointHelpers.cs
@@ -122,6 +122,8 @@ internal static class EndpointHelpers
        {
            using var head = new HttpRequestMessage(HttpMethod.Head, uri);
            var headResp = await client.SendAsync(head, HttpCompletionOption.ResponseHeadersRead, cts.Token);
+            if (WasRedirected(uri, headResp))
+                return false;
            if (headResp is { IsSuccessStatusCode: true, StatusCode: not System.Net.HttpStatusCode.Redirect })
            {
                if (headResp.Content.Headers.ContentLength is > MaxImageBytes)
@@ -142,6 +144,8 @@ internal static class EndpointHelpers
            using var get = new HttpRequestMessage(HttpMethod.Get, uri);
            get.Headers.Range = new System.Net.Http.Headers.RangeHeaderValue(0, 1023);
            var resp = await client.SendAsync(get, HttpCompletionOption.ResponseHeadersRead, cts.Token);
+            if (WasRedirected(uri, resp))
+                return false;
            if (!resp.IsSuccessStatusCode)
                return false;
            if (resp.StatusCode is System.Net.HttpStatusCode.Redirect)
@@ -179,6 +183,15 @@ internal static class EndpointHelpers

    private const long MaxImageBytes = 5 * 1024 * 1024; // 5 MB guard

+    private static bool WasRedirected(Uri requestedUri, HttpResponseMessage response)
+    {
+        var finalUri = response.RequestMessage?.RequestUri;
+        if (finalUri is null)
+            return false;
+
+        return !requestedUri.Equals(finalUri);
+    }
+
    private static async Task<bool> IsSafePublicHostAsync(Uri uri, CancellationToken ct)
    {
        try