Expose SSRF mitigation (#15247)

2025-08-14 02:27:09 -07:00 · 2021-08-04 05:28:36 +02:00 · 2021-08-04 05:28:36 +02:00 · 078cfe656a
commit 078cfe656a
parent 89ac9bf2c9
6 changed files with 43 additions and 1 deletions
--- a/src/base/bittorrent/session.cpp
+++ b/src/base/bittorrent/session.cpp
@ -405,6 +405,7 @@ Session::Session(QObject *parent)
    , m_IDNSupportEnabled(BITTORRENT_SESSION_KEY("IDNSupportEnabled"), false)
    , m_multiConnectionsPerIpEnabled(BITTORRENT_SESSION_KEY("MultiConnectionsPerIp"), false)
    , m_validateHTTPSTrackerCertificate(BITTORRENT_SESSION_KEY("ValidateHTTPSTrackerCertificate"), true)
+    , m_SSRFMitigationEnabled(BITTORRENT_SESSION_KEY("SSRFMitigation"), true)
    , m_blockPeersOnPrivilegedPorts(BITTORRENT_SESSION_KEY("BlockPeersOnPrivilegedPorts"), false)
    , m_isAddTrackersEnabled(BITTORRENT_SESSION_KEY("AddTrackersEnabled"), false)
    , m_additionalTrackers(BITTORRENT_SESSION_KEY("AdditionalTrackers"))
@ -1402,6 +1403,8 @@ void Session::loadLTSettings(lt::settings_pack &settingsPack)

    settingsPack.set_bool(lt::settings_pack::validate_https_trackers, validateHTTPSTrackerCertificate());

+    settingsPack.set_bool(lt::settings_pack::ssrf_mitigation, isSSRFMitigationEnabled());
+
    settingsPack.set_bool(lt::settings_pack::no_connect_privileged_ports, blockPeersOnPrivilegedPorts());

    settingsPack.set_bool(lt::settings_pack::apply_ip_filter_to_trackers, isTrackerFilteringEnabled());
@ -3736,6 +3739,19 @@ void Session::setValidateHTTPSTrackerCertificate(const bool enabled)
    configureDeferred();
 }

+bool Session::isSSRFMitigationEnabled() const
+{
+    return m_SSRFMitigationEnabled;
+}
+
+void Session::setSSRFMitigationEnabled(const bool enabled)
+{
+    if (enabled == m_SSRFMitigationEnabled) return;
+
+    m_SSRFMitigationEnabled = enabled;
+    configureDeferred();
+}
+
 bool Session::blockPeersOnPrivilegedPorts() const
 {
    return m_blockPeersOnPrivilegedPorts;
--- a/src/base/bittorrent/session.h
+++ b/src/base/bittorrent/session.h
@ -422,6 +422,8 @@ namespace BitTorrent
        void setMultiConnectionsPerIpEnabled(bool enabled);
        bool validateHTTPSTrackerCertificate() const;
        void setValidateHTTPSTrackerCertificate(bool enabled);
+        bool isSSRFMitigationEnabled() const;
+        void setSSRFMitigationEnabled(bool enabled);
        bool blockPeersOnPrivilegedPorts() const;
        void setBlockPeersOnPrivilegedPorts(bool enabled);
        bool isTrackerFilteringEnabled() const;
@ -692,6 +694,7 @@ namespace BitTorrent
        CachedSettingValue<bool> m_IDNSupportEnabled;
        CachedSettingValue<bool> m_multiConnectionsPerIpEnabled;
        CachedSettingValue<bool> m_validateHTTPSTrackerCertificate;
+        CachedSettingValue<bool> m_SSRFMitigationEnabled;
        CachedSettingValue<bool> m_blockPeersOnPrivilegedPorts;
        CachedSettingValue<bool> m_isAddTrackersEnabled;
        CachedSettingValue<QString> m_additionalTrackers;
--- a/src/gui/advancedsettings.cpp
+++ b/src/gui/advancedsettings.cpp
@ -120,6 +120,7 @@ namespace
        IDN_SUPPORT,
        MULTI_CONNECTIONS_PER_IP,
        VALIDATE_HTTPS_TRACKER_CERTIFICATE,
+        SSRF_MITIGATION,
        BLOCK_PEERS_ON_PRIVILEGED_PORTS,
        // seeding
        CHOKING_ALGORITHM,
@ -234,6 +235,8 @@ void AdvancedSettings::saveAdvancedSettings()
    session->setMultiConnectionsPerIpEnabled(m_checkBoxMultiConnectionsPerIp.isChecked());
    // Validate HTTPS tracker certificate
    session->setValidateHTTPSTrackerCertificate(m_checkBoxValidateHTTPSTrackerCertificate.isChecked());
+    // SSRF mitigation
+    session->setSSRFMitigationEnabled(m_checkBoxSSRFMitigation.isChecked());
    // Disallow connection to peers on privileged ports
    session->setBlockPeersOnPrivilegedPorts(m_checkBoxBlockPeersOnPrivilegedPorts.isChecked());
    // Recheck torrents on completion
@ -572,6 +575,11 @@ void AdvancedSettings::loadAdvancedSettings()
    addRow(VALIDATE_HTTPS_TRACKER_CERTIFICATE, (tr("Validate HTTPS tracker certificates")
            + ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#validate_https_trackers", "(?)"))
            , &m_checkBoxValidateHTTPSTrackerCertificate);
+    // SSRF mitigation
+    m_checkBoxSSRFMitigation.setChecked(session->isSSRFMitigationEnabled());
+    addRow(SSRF_MITIGATION, (tr("Server-side request forgery (SSRF) mitigation")
+        + ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation", "(?)"))
+        , &m_checkBoxSSRFMitigation);
    // Disallow connection to peers on privileged ports
    m_checkBoxBlockPeersOnPrivilegedPorts.setChecked(session->blockPeersOnPrivilegedPorts());
    addRow(BLOCK_PEERS_ON_PRIVILEGED_PORTS, (tr("Disallow connection to peers on privileged ports") + ' ' + makeLink("https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports", "(?)")), &m_checkBoxBlockPeersOnPrivilegedPorts);
--- a/src/gui/advancedsettings.h
+++ b/src/gui/advancedsettings.h
@ -68,7 +68,7 @@ private:
    QCheckBox m_checkBoxOsCache, m_checkBoxRecheckCompleted, m_checkBoxResolveCountries, m_checkBoxResolveHosts,
              m_checkBoxProgramNotifications, m_checkBoxTorrentAddedNotifications, m_checkBoxTrackerFavicon, m_checkBoxTrackerStatus,
              m_checkBoxConfirmTorrentRecheck, m_checkBoxConfirmRemoveAllTags, m_checkBoxAnnounceAllTrackers, m_checkBoxAnnounceAllTiers,
-              m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity,
+              m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxSSRFMitigation, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity,
              m_checkBoxSuggestMode, m_checkBoxSpeedWidgetEnabled, m_checkBoxIDNSupport;
    QComboBox m_comboBoxInterface, m_comboBoxInterfaceAddress, m_comboBoxUtpMixedMode, m_comboBoxChokingAlgorithm, m_comboBoxSeedChokingAlgorithm;
    QLineEdit m_lineEditAnnounceIP;
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@ -328,6 +328,8 @@ void AppController::preferencesAction()
    data["enable_multi_connections_from_same_ip"] = session->multiConnectionsPerIpEnabled();
    // Validate HTTPS tracker certificate
    data["validate_https_tracker_certificate"] = session->validateHTTPSTrackerCertificate();
+    // SSRF mitigation
+    data["ssrf_mitigation"] = session->isSSRFMitigationEnabled();
    // Disallow connection to peers on privileged ports
    data["block_peers_on_privileged_ports"] = session->blockPeersOnPrivilegedPorts();
    // Embedded tracker
@ -797,6 +799,9 @@ void AppController::setPreferencesAction()
    // Validate HTTPS tracker certificate
    if (hasKey("validate_https_tracker_certificate"))
        session->setValidateHTTPSTrackerCertificate(it.value().toBool());
+    // SSRF mitigation
+    if (hasKey("ssrf_mitigation"))
+        session->setSSRFMitigationEnabled(it.value().toBool());
    // Disallow connection to peers on privileged ports
    if (hasKey("block_peers_on_privileged_ports"))
        session->setBlockPeersOnPrivilegedPorts(it.value().toBool());
--- a/src/webui/www/private/views/preferences.html
+++ b/src/webui/www/private/views/preferences.html
@ -1125,6 +1125,14 @@
                    <input type="checkbox" id="validateHTTPSTrackerCertificate" />
                </td>
            </tr>
+            <tr>
+                <td>
+                    <label for="mitigateSSRF">QBT_TR(Server-side request forgery (SSRF) mitigation:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation" target="_blank">(?)</a></label>
+                </td>
+                <td>
+                    <input type="checkbox" id="mitigateSSRF" />
+                </td>
+            </tr>
            <tr>
                <td>
                    <label for="blockPeersOnPrivilegedPorts">QBT_TR(Disallow connection to peers on privileged ports:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports" target="_blank">(?)</a></label>
@ -1908,6 +1916,7 @@
                        $('IDNSupportCheckbox').setProperty('checked', pref.idn_support_enabled);
                        $('allowMultipleConnectionsFromTheSameIPAddress').setProperty('checked', pref.enable_multi_connections_from_same_ip);
                        $('validateHTTPSTrackerCertificate').setProperty('checked', pref.validate_https_tracker_certificate);
+                        $('mitigateSSRF').setProperty('checked', pref.ssrf_mitigation);
                        $('blockPeersOnPrivilegedPorts').setProperty('checked', pref.block_peers_on_privileged_ports);
                        $('enableEmbeddedTracker').setProperty('checked', pref.enable_embedded_tracker);
                        $('embeddedTrackerPort').setProperty('value', pref.embedded_tracker_port);
@ -2297,6 +2306,7 @@
            settings.set('idn_support_enabled', $('IDNSupportCheckbox').getProperty('checked'));
            settings.set('enable_multi_connections_from_same_ip', $('allowMultipleConnectionsFromTheSameIPAddress').getProperty('checked'));
            settings.set('validate_https_tracker_certificate', $('validateHTTPSTrackerCertificate').getProperty('checked'));
+            settings.set('ssrf_mitigation', $('mitigateSSRF').getProperty('checked'));
            settings.set('block_peers_on_privileged_ports', $('blockPeersOnPrivilegedPorts').getProperty('checked'));
            settings.set('enable_embedded_tracker', $('enableEmbeddedTracker').getProperty('checked'));
            settings.set('embedded_tracker_port', $('embeddedTrackerPort').getProperty('value'));