try to prevent search of onion domain as subdomain of a search zone

2021-05-05 14:28:58 +02:00
parent 664301fafa
commit e4118250f8
1 changed files with 47 additions and 0 deletions
--- a/crates/resolver/src/async_resolver.rs
+++ b/crates/resolver/src/async_resolver.rs
@@ -14,6 +14,7 @@ use std::sync::Arc;
 use futures_util::{self, future};
 use proto::error::ProtoResult;
 use proto::op::Query;
+use proto::rr::domain::usage::ONION;
 use proto::rr::domain::TryParseIp;
 use proto::rr::{IntoName, Name, Record, RecordType};
 use proto::xfer::{DnsRequestOptions, RetryDnsHandle};
@@ -300,6 +301,18 @@ impl<C: DnsHandle<Error = ResolveError>, P: ConnectionProvider<Conn = C>> AsyncR
        // if it's fully qualified, we can short circuit the lookup logic
        if name.is_fqdn() {
            vec![name]
+        } else if ONION.zone_of(&name)
+            && name
+                .trim_to(2)
+                .iter()
+                .next()
+                .map(|name| name.len() == 56)
+                .unwrap_or(false)
+        {
+            // special handling of .onion looking names. Try to not break onion.example.com. and
+            // *.onion.example.com, but reject Tor Onion V3 names. Onion V2 are deprectated and
+            // soon to be removed
+            vec![name]
        } else {
            // Otherwise we have to build the search list
            // Note: the vec is built in reverse order of precedence, for stack semantics
@@ -1283,4 +1296,38 @@ mod tests {
        let handle = TokioHandle;
        search_ipv6_name_parse_fails_test::<Runtime, TokioRuntime>(io_loop, handle);
    }
+
+    #[test]
+    fn test_build_names_onion() {
+        let handle = TokioHandle;
+        let mut config = ResolverConfig::default();
+        config.add_search(Name::from_ascii("example.com.").unwrap());
+        let resolver =
+            AsyncResolver::<GenericConnection, GenericConnectionProvider<TokioRuntime>>::new(
+                config,
+                ResolverOpts::default(),
+                handle,
+            )
+            .expect("failed to create resolver");
+        let tor_address = [
+            Name::from_ascii("2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion")
+                .unwrap(),
+            Name::from_ascii("www.2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion")
+                .unwrap(), // subdomain are allowed too
+        ];
+        let not_tor_address = [
+            Name::from_ascii("onion").unwrap(),
+            Name::from_ascii("www.onion").unwrap(),
+            Name::from_ascii("2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.www.onion")
+                .unwrap(), // www before key
+            Name::from_ascii("2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion.to")
+                .unwrap(), // Tor2web
+        ];
+        for name in &tor_address {
+            assert_eq!(resolver.build_names(name.clone()).len(), 1);
+        }
+        for name in &not_tor_address {
+            assert_eq!(resolver.build_names(name.clone()).len(), 2);
+        }
+    }
 }