Filtering URLs to allow only the ones that are publicly visible

Question

Users in my app can send messages between them and they can embed images from public sites in the content. I'd like to download those images and store them in my own storage, so my app won't break when the images are deleted from the internet.

I'm corcened about the security implications.

• What if the user sends a message with a img src that starts with http://localhost. I'll be requesting my own server.
• What if the src is a private ip. I'll be connecting to servers in my private network.
• What if the src is a host that resolves to 127.0.0.1.
• And other nasty ideas I can't think of.

What can I do in order to check I'm downloading an image from a public server and not hitting my owns.

I'm using standard Java.

Answer 1

There are front end and backend solutions for this.

Simply prevent your app from accepting such links. Use patterns to ensure certain things are filtered, for example, localhost links or abusive links. Even if they are shortened. https://stackoverflow.com/a/8151742/2110818

Or configure your firewall to ensure that ports 80 and 443 are not accessible on the machine that has the apache server. There's plenty you can do.

Which server are you using or are going to use to host your server? For example, you can secure tomcat or other servers and prevent things from happening like here: https://www.mulesoft.com/tcat/tomcat-security

Also, one should try to prevent any kind of unvalidated redirect anyways even within their code. So, don't just focus on external threats, your own code could hurt you. Check this out to know more: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

But, I think the most relevant solution to prevent internal and external threats is to configure your machine well and ensure the firewall covers all aspects. There are detailed guides for securing servers out there.