Validate Host header matches expected value before allowing access to MediaProxy

lib/pleroma/web/media_proxy/media_proxy_controller.ex

@@ -12,6 +12,7 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
   alias Pleroma.Web.MediaProxy
   alias Plug.Conn
 
+  plug(:validate_host)
   plug(:sandbox)
 
   def remote(conn, %{"sig" => sig64, "url" => url64}) do
@@ -205,6 +206,17 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyController do
     Config.get([:media_proxy, :proxy_opts], [])
   end
 
+  defp validate_host(conn, _params) do
+    proxy_host = MediaProxy.base_url() |> URI.parse() |> Map.get(:host)
+
+    if match?(^proxy_host, conn.host) do
+      conn
+    else
+      send_resp(conn, 400, Conn.Status.reason_phrase(400))
+      |> halt()
+    end
+  end
+
   defp sandbox(conn, _params) do
     conn
     |> merge_resp_headers([{"content-security-policy", "sandbox;"}])

test/pleroma/web/media_proxy/media_proxy_controller_test.exs

@@ -54,6 +54,23 @@ defmodule Pleroma.Web.MediaProxy.MediaProxyControllerTest do
              } = get(conn, "/proxy/hhgfh/eeee/fff")
     end
 
+    test "it returns a 400 for invalid host", %{conn: conn} do
+      clear_config([:media_proxy, :base_url], "http://mp.localhost/")
+
+      url =
+        MediaProxy.encode_url("https://pleroma.social/logo.jpeg")
+        |> URI.parse()
+        |> Map.put(:host, "wronghost")
+        |> URI.to_string()
+
+      with_mock Pleroma.ReverseProxy,
+        call: fn _conn, _url, _opts -> %Conn{status: :success} end do
+        %{status: status} = get(conn, url)
+
+        assert status == 400
+      end
+    end
+
     test "redirects to valid url when filename is invalidated", %{conn: conn, url: url} do
       invalid_url = String.replace(url, "test.png", "test-file.png")
       response = get(conn, invalid_url)