Detect internal IPs and expand whitelist

Fix brave/brave-browser#1706
brave · Oct 18, 2018 · c303167 · c303167
1 parent 8aa4e25
commit c303167
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/build/commands/lib/start.js b/build/commands/lib/start.js
@@ -1,5 +1,7 @@
 const path = require('path')
 const fs = require('fs-extra')
+const ip = require('ip')
+const URL = require('url').URL
 const config = require('../lib/config')
 const util = require('../lib/util')
 const whitelistedUrlPrefixes = require('./whitelistedUrlPrefixes')
@@ -111,6 +113,15 @@ const start = (buildConfig = config.defaultBuildConfig, options) => {
             return url.startsWith(prefix)
           })
           if (!found) {
+            // Check if the URL is a private IP
+            try {
+              const hostname = new URL(url).hostname
+              if (ip.isPrivate(hostname)) {
+                // Warn but don't fail the audit
+                console.log('NETWORK AUDIT WARN:', url)
+                return true
+              }
+            } catch (e) {}
             // This is not a whitelisted URL! log it and exit with non-zero
             console.log('NETWORK AUDIT FAIL:', url)
             exitCode = 1
@@ -121,6 +132,11 @@ const start = (buildConfig = config.defaultBuildConfig, options) => {
       return false
     })
     fs.writeJsonSync('network-audit-results.json', urlRequests)
+    if (exitCode > 0) {
+      console.log(`network-audit failed. import ${networkLogFile} in chrome://net-internals for more details.`)
+    } else {
+      console.log('network audit passed.')
+    }
     process.exit(exitCode)
   }
 }

diff --git a/build/commands/lib/whitelistedUrlPrefixes.js b/build/commands/lib/whitelistedUrlPrefixes.js
@@ -1,10 +1,14 @@
+// Before adding to this list, get approval from the security team
 module.exports = [
   'https://update.googleapis.com/service/update2', // allowed because it 307's to go-updater.brave.com. should never actually connect to googleapis.com.
+  'https://safebrowsing.googleapis.com/v4/threatListUpdates', // allowed because it 307's to safebrowsing.brave.com
   'https://no-thanks.invalid/', // fake gaia URL
   'https://go-updater.brave.com/',
   'https://safebrowsing.brave.com/',
   'https://brave-core-ext.s3.brave.com/',
   'https://laptop-updates.brave.com/',
+  'https://static.brave.com/',
+  'https://static1.brave.com/',
   'https://ledger.mercury.basicattentiontoken.org/',
   'https://ledger-staging.mercury.basicattentiontoken.org/',
   'https://balance.mercury.basicattentiontoken.org/',