Improve networking checks

Whilst we currently state that SSRF is generally outside of our threat model, this is something where we should invest to improve this.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

1 files changed, 24 insertions, 2 deletions

diff --git a/lib/private/Http/Client/ClientService.php b/lib/private/Http/Client/ClientService.php
index 3858032308a..231436004ba 100644
--- a/lib/private/Http/Client/ClientService.php
+++ b/lib/private/Http/Client/ClientService.php
@@ -28,6 +28,8 @@ declare(strict_types=1);
 namespace OC\Http\Client;
 
 use GuzzleHttp\Client as GuzzleClient;
+use GuzzleHttp\HandlerStack;
+use GuzzleHttp\Handler\CurlHandler;
 use OCP\Http\Client\IClient;
 use OCP\Http\Client\IClientService;
 use OCP\ICertificateManager;
@@ -46,19 +48,39 @@ class ClientService implements IClientService {
 	private $logger;
 	/** @var ICertificateManager */
 	private $certificateManager;
+	/** @var DnsPinMiddleware */
+	private $dnsPinMiddleware;
+	/** @var LocalAddressChecker */
+	private $localAddressChecker;
 
 	public function __construct(IConfig $config,
 								ILogger $logger,
-								ICertificateManager $certificateManager) {
+								ICertificateManager $certificateManager,
+								DnsPinMiddleware $dnsPinMiddleware,
+								LocalAddressChecker $localAddressChecker) {
 		$this->config = $config;
 		$this->logger = $logger;
 		$this->certificateManager = $certificateManager;
+		$this->dnsPinMiddleware = $dnsPinMiddleware;
+		$this->localAddressChecker = $localAddressChecker;
 	}
 
 	/**
 	 * @return Client
 	 */
 	public function newClient(): IClient {
-		return new Client($this->config, $this->logger, $this->certificateManager, new GuzzleClient());
+		$handler = new CurlHandler();
+		$stack = HandlerStack::create($handler);
+		$stack->push($this->dnsPinMiddleware->addDnsPinning());
+
+		$client = new GuzzleClient(['handler' => $stack]);
+
+		return new Client(
+			$this->config,
+			$this->logger,
+			$this->certificateManager,
+			$client,
+			$this->localAddressChecker
+		);
 	}
 }