LBP
/
miniflux_v2
kopia lustrzana https://github.com/miniflux/v2.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315
							// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

package fetcher // import "miniflux.app/v2/internal/reader/fetcher"

import (
	"context"
	"crypto/tls"
	"encoding/base64"
	"errors"
	"fmt"
	"log/slog"
	"net"
	"net/http"
	"net/url"
	"slices"
	"strings"
	"syscall"
	"time"

	"miniflux.app/v2/internal/config"
	"miniflux.app/v2/internal/proxyrotator"
	"miniflux.app/v2/internal/urllib"
)

const (
	defaultHTTPClientTimeout = 20 * time.Second
	defaultAcceptHeader      = "application/xml,application/atom+xml,application/rss+xml,application/rdf+xml,application/feed+json,text/html,*/*;q=0.9"
)

var (
	ErrHostnameResolution = errors.New("fetcher: unable to resolve request hostname")
	ErrPrivateNetworkHost = errors.New("fetcher: refusing to access private network host")
)

type RequestBuilder struct {
	headers            http.Header
	clientProxyURL     *url.URL
	clientTimeout      time.Duration
	useClientProxy     bool
	withoutRedirects   bool
	ignoreTLSErrors    bool
	disableHTTP2       bool
	disableCompression bool
	proxyRotator       *proxyrotator.ProxyRotator
	feedProxyURL       string
}

func NewRequestBuilder() *RequestBuilder {
	return &RequestBuilder{
		headers:       make(http.Header),
		clientTimeout: defaultHTTPClientTimeout,
	}
}

func (r *RequestBuilder) WithHeader(key, value string) *RequestBuilder {
	r.headers.Set(key, value)
	return r
}

func (r *RequestBuilder) WithETag(etag string) *RequestBuilder {
	if etag != "" {
		r.headers.Set("If-None-Match", etag)
	}
	return r
}

func (r *RequestBuilder) WithLastModified(lastModified string) *RequestBuilder {
	if lastModified != "" {
		r.headers.Set("If-Modified-Since", lastModified)
	}
	return r
}

func (r *RequestBuilder) WithUserAgent(userAgent string, defaultUserAgent string) *RequestBuilder {
	if userAgent != "" {
		r.headers.Set("User-Agent", userAgent)
	} else {
		r.headers.Set("User-Agent", defaultUserAgent)
	}
	return r
}

func (r *RequestBuilder) WithCookie(cookie string) *RequestBuilder {
	if cookie != "" {
		r.headers.Set("Cookie", cookie)
	}
	return r
}

func (r *RequestBuilder) WithUsernameAndPassword(username, password string) *RequestBuilder {
	if username != "" && password != "" {
		r.headers.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(username+":"+password)))
	}
	return r
}

func (r *RequestBuilder) WithProxyRotator(proxyRotator *proxyrotator.ProxyRotator) *RequestBuilder {
	r.proxyRotator = proxyRotator
	return r
}

func (r *RequestBuilder) WithCustomApplicationProxyURL(proxyURL *url.URL) *RequestBuilder {
	r.clientProxyURL = proxyURL
	return r
}

func (r *RequestBuilder) UseCustomApplicationProxyURL(value bool) *RequestBuilder {
	r.useClientProxy = value
	return r
}

func (r *RequestBuilder) WithCustomFeedProxyURL(proxyURL string) *RequestBuilder {
	r.feedProxyURL = proxyURL
	return r
}

func (r *RequestBuilder) WithTimeout(timeout time.Duration) *RequestBuilder {
	r.clientTimeout = timeout
	return r
}

func (r *RequestBuilder) WithoutRedirects() *RequestBuilder {
	r.withoutRedirects = true
	return r
}

func (r *RequestBuilder) DisableHTTP2(value bool) *RequestBuilder {
	r.disableHTTP2 = value
	return r
}

func (r *RequestBuilder) IgnoreTLSErrors(value bool) *RequestBuilder {
	r.ignoreTLSErrors = value
	return r
}

func (r *RequestBuilder) WithoutCompression() *RequestBuilder {
	r.disableCompression = true
	return r
}

func (r *RequestBuilder) ExecuteRequest(requestURL string) (*http.Response, error) {
	var clientProxyURL *url.URL

	switch {
	case r.feedProxyURL != "":
		var err error
		clientProxyURL, err = url.Parse(r.feedProxyURL)
		if err != nil {
			return nil, fmt.Errorf(`fetcher: invalid feed proxy URL %q: %w`, r.feedProxyURL, err)
		}
	case r.useClientProxy && r.clientProxyURL != nil:
		clientProxyURL = r.clientProxyURL
	case r.proxyRotator != nil && r.proxyRotator.HasProxies():
		clientProxyURL = r.proxyRotator.GetNextProxy()
	}

	directDialer := &net.Dialer{
		Timeout:   10 * time.Second, // Default is 30s.
		KeepAlive: 15 * time.Second, // Default is 30s.
	}

	proxyDialer := &net.Dialer{
		Timeout:   10 * time.Second, // Default is 30s.
		KeepAlive: 15 * time.Second, // Default is 30s.
	}

	proxyDialAddress := normalizeProxyDialAddress(clientProxyURL)

	// Perform the private-network check inside the dialer's Control callback,
	// which fires after DNS resolution but before the TCP connection is made.
	// This eliminates TOCTOU / DNS-rebinding vulnerabilities: the resolved IP
	// that is checked is exactly the IP that will be connected to.
	allowPrivateNetworks := config.Opts == nil || config.Opts.FetcherAllowPrivateNetworks()
	if !allowPrivateNetworks {
		directDialer.Control = func(network, address string, c syscall.RawConn) error {
			host, _, err := net.SplitHostPort(address)
			if err != nil {
				return err
			}

			ip := net.ParseIP(host)
			if urllib.IsNonPublicIP(ip) {
				return fmt.Errorf("%w %q", ErrPrivateNetworkHost, host)
			}

			return nil
		}
	}

	transport := &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		// Setting `DialContext` disables HTTP/2, this option forces the transport to try HTTP/2 regardless.
		ForceAttemptHTTP2: true,
		MaxIdleConns:      50,               // Default is 100.
		IdleConnTimeout:   10 * time.Second, // Default is 90s.
	}

	transport.DialContext = directDialer.DialContext
	if !allowPrivateNetworks && proxyDialAddress != "" {
		// Explicitly configured proxies are a trusted hop. Keep the private-network
		// check for direct requests and redirects, but allow the connection to the proxy itself.
		transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
			if normalizeDialAddress(addr) == proxyDialAddress {
				return proxyDialer.DialContext(ctx, network, addr)
			}

			return directDialer.DialContext(ctx, network, addr)
		}
	}

	if r.ignoreTLSErrors {
		//  Add insecure ciphers if we are ignoring TLS errors. This allows to connect to badly configured servers anyway
		ciphers := slices.Concat(tls.CipherSuites(), tls.InsecureCipherSuites())
		cipherSuites := make([]uint16, 0, len(ciphers))
		for _, cipher := range ciphers {
			cipherSuites = append(cipherSuites, cipher.ID)
		}
		transport.TLSClientConfig = &tls.Config{
			CipherSuites:       cipherSuites,
			InsecureSkipVerify: true,
		}
	}

	if r.disableHTTP2 {
		transport.ForceAttemptHTTP2 = false

		// https://pkg.go.dev/net/http#hdr-HTTP_2
		// Programs that must disable HTTP/2 can do so by setting [Transport.TLSNextProto] (for clients) or [Server.TLSNextProto] (for servers) to a non-nil, empty map.
		transport.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
	}

	var clientProxyURLRedacted string
	if clientProxyURL != nil {
		transport.Proxy = http.ProxyURL(clientProxyURL)
		clientProxyURLRedacted = clientProxyURL.Redacted()
	}

	client := &http.Client{
		Timeout: r.clientTimeout,
	}

	if r.withoutRedirects {
		client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		}
	}

	client.Transport = transport

	req, err := http.NewRequest("GET", requestURL, nil)
	if err != nil {
		return nil, err
	}

	req.Header = r.headers
	if r.disableCompression {
		req.Header.Set("Accept-Encoding", "identity")
	} else {
		req.Header.Set("Accept-Encoding", "br,gzip")
	}

	// Set default Accept header if not already set.
	// Note that for the media proxy requests, we need to forward the browser Accept header.
	if req.Header.Get("Accept") == "" {
		req.Header.Set("Accept", defaultAcceptHeader)
	}

	req.Header.Set("Connection", "close")

	slog.Debug("Making outgoing request", slog.Group("request",
		slog.String("method", req.Method),
		slog.String("url", req.URL.String()),
		slog.Any("headers", req.Header),
		slog.Bool("without_redirects", r.withoutRedirects),
		slog.Bool("use_app_client_proxy", r.useClientProxy),
		slog.String("client_proxy_url", clientProxyURLRedacted),
		slog.Bool("ignore_tls_errors", r.ignoreTLSErrors),
		slog.Bool("disable_http2", r.disableHTTP2),
	))

	return client.Do(req)
}

func normalizeDialAddress(addr string) string {
	host, port, err := net.SplitHostPort(addr)
	if err != nil {
		return ""
	}

	return net.JoinHostPort(strings.ToLower(host), port)
}

func normalizeProxyDialAddress(proxyURL *url.URL) string {
	if proxyURL == nil {
		return ""
	}

	port := proxyURL.Port()
	if port == "" {
		switch strings.ToLower(proxyURL.Scheme) {
		case "", "http":
			port = "80"
		case "https":
			port = "443"
		case "socks5", "socks5h":
			port = "1080"
		default:
			return ""
		}
	}

	return net.JoinHostPort(strings.ToLower(proxyURL.Hostname()), port)
}