validate redirect url

lib/download_utils.rb

@@ -1,7 +1,35 @@
 # frozen_string_literal: true
 
 module DownloadUtils
-  LOCALHOSTS = %w[0.0.0.0 127.0.0.1 localhost].freeze
+  LOCALHOSTS = Set[
+    '0.0.0.0',
+    '127.0.0.1',
+    '127.0.1.1',
+    'localhost',
+    'localhost.localdomain',
+    '::1',
+    '[::1]',
+    'ip6-localhost',
+    'ip6-loopback',
+    '127.0.0.0',
+    '127.255.255.255',
+    '::',
+    '0:0:0:0:0:0:0:1',
+    '[0:0:0:0:0:0:0:1]',
+    '0000:0000:0000:0000:0000:0000:0000:0001',
+    '[0000:0000:0000:0000:0000:0000:0000:0001]',
+    '::0',
+    '0::0',
+    '::ffff:127.0.0.1',
+    '[::ffff:127.0.0.1]',
+    '::ffff:7f00:1',
+    '[::ffff:7f00:1]',
+    'local',
+    'localhost.local',
+    'ip6-localnet',
+    'ip6-allnodes',
+    'ip6-allrouters'
+  ].freeze
 
   UnableToDownload = Class.new(StandardError)
 
@@ -14,10 +42,7 @@ module DownloadUtils
       Addressable::URI.parse(url).normalize
     end
 
-    if Docuseal.multitenant?
+    validate_uri!(uri) if Docuseal.multitenant?
-      raise UnableToDownload, "Error loading: #{uri}. Only HTTPS is allowed." if uri.scheme != 'https'
-      raise UnableToDownload, "Error loading: #{uri}. Can't download from localhost." if uri.host.in?(LOCALHOSTS)
-    end
 
     resp = conn.get(uri)
 
@@ -26,9 +51,16 @@ module DownloadUtils
     resp
   end
 
+  def validate_uri!(uri)
+    raise UnableToDownload, "Error loading: #{uri}. Only HTTPS is allowed." if uri.scheme != 'https'
+    raise UnableToDownload, "Error loading: #{uri}. Can't download from localhost." if uri.host.in?(LOCALHOSTS)
+  end
+
   def conn
     Faraday.new do |faraday|
-      faraday.response :follow_redirects
+      faraday.response :follow_redirects, callback: lambda { |_, new_env|
+        validate_uri!(new_env[:url]) if Docuseal.multitenant?
+      }
     end
   end
 end