feat: use custom DNS resolver for HTTP(S)

2026-04-27 02:16:29 +03:00 · 2024-07-20 12:59:51 +00:00
parent 2a605b93cd
commit 8f400dda85
7 changed files with 193 additions and 58 deletions
--- a/src/net/http.rs
+++ b/src/net/http.rs
@@ -1,5 +1,6 @@
 //! # HTTP module.

+use std::sync::Arc;
 use std::time::Duration;

 use anyhow::{anyhow, Result};
@@ -7,6 +8,7 @@ use mime::Mime;
 use once_cell::sync::Lazy;

 use crate::context::Context;
+use crate::net::lookup_host_with_cache;
 use crate::socks::Socks5Config;

 const HTTP_TIMEOUT: Duration = Duration::from_secs(30);
@@ -60,8 +62,13 @@ pub async fn read_url_blob(context: &Context, url: &str) -> Result<Response> {
 }

 async fn read_url_inner(context: &Context, url: &str) -> Result<reqwest::Response> {
-    let socks5_config = Socks5Config::from_database(&context.sql).await?;
-    let client = get_client(socks5_config)?;
+    // It is safe to use cached IP addresses
+    // for HTTPS URLs, but for HTTP URLs
+    // better resolve from scratch each time to prevent
+    // cache poisoning attacks from having lasting effects.
+    let load_cache = url.starts_with("https://");
+
+    let client = get_client(context, load_cache).await?;
    let mut url = url.to_string();

    // Follow up to 10 http-redirects
@@ -86,10 +93,57 @@ async fn read_url_inner(context: &Context, url: &str) -> Result<reqwest::Respons
    Err(anyhow!("Followed 10 redirections"))
 }

-pub(crate) fn get_client(socks5_config: Option<Socks5Config>) -> Result<reqwest::Client> {
+struct CustomResolver {
+    context: Context,
+
+    /// Whether to return cached results or not.
+    /// If resolver can be used for URLs
+    /// without TLS, e.g. HTTP URLs from HTML email,
+    /// this must be false. If TLS is used
+    /// and certificate hostnames are checked,
+    /// it is safe to load cache.
+    load_cache: bool,
+}
+
+impl CustomResolver {
+    fn new(context: Context, load_cache: bool) -> Self {
+        Self {
+            context,
+            load_cache,
+        }
+    }
+}
+
+impl reqwest::dns::Resolve for CustomResolver {
+    fn resolve(&self, hostname: reqwest::dns::Name) -> reqwest::dns::Resolving {
+        let context = self.context.clone();
+        let load_cache = self.load_cache;
+        Box::pin(async move {
+            let port = 443; // Actual port does not matter.
+
+            let socket_addrs =
+                lookup_host_with_cache(&context, hostname.as_str(), port, HTTP_TIMEOUT, load_cache)
+                    .await;
+            match socket_addrs {
+                Ok(socket_addrs) => {
+                    let addrs: reqwest::dns::Addrs = Box::new(socket_addrs.into_iter());
+
+                    Ok(addrs)
+                }
+                Err(err) => Err(err.into()),
+            }
+        })
+    }
+}
+
+pub(crate) async fn get_client(context: &Context, load_cache: bool) -> Result<reqwest::Client> {
+    let socks5_config = Socks5Config::from_database(&context.sql).await?;
+    let resolver = Arc::new(CustomResolver::new(context.clone(), load_cache));
+
    let builder = reqwest::ClientBuilder::new()
        .timeout(HTTP_TIMEOUT)
-        .add_root_certificate(LETSENCRYPT_ROOT.clone());
+        .add_root_certificate(LETSENCRYPT_ROOT.clone())
+        .dns_resolver(resolver);

    let builder = if let Some(socks5_config) = socks5_config {
        let proxy = reqwest::Proxy::all(socks5_config.to_url())?;