v4.14.0

-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQTqYa7kNs8D7Oo9dgLSEYbwtHKVrQUCYUB7mgAKCRDSEYbwtHKV
 rYTGAP9dggMBUTq6+2yLyYHChVMqLez2WS/XmgTdC4mc2tsZzgD+J2/zhRObGYX0
 d54Y39pAw7rPV8Z8md9nCm9olPpE4AM=
 =w206
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQTqYa7kNs8D7Oo9dgLSEYbwtHKVrQUCYUB8kwAKCRDSEYbwtHKV
 rTGVAP4wqFwWwQUFUXX4tLbvcLKQalvHQI3soLFneAzZT1M3DQEAtWO+crkH2auN
 Agt8ND2ndlIzsyGxYywliajBfbQVZwM=
 =nFhH
 -----END PGP SIGNATURE-----

Merged v4.14.0 into main

v4.14.0

core/client

@@ -1 +1 @@
-Subproject commit ef223b0312d2d118ec5f0a0922146ef0d52fe6f8
+Subproject commit 5c2d1e4339f2d47be747b4f948ea17ea3cd7fcad

core/server/lib/request-external.js

@@ -12,8 +12,9 @@ function isPrivateIp(addr) {
       /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
       /^f[cd][0-9a-f]{2}:/i.test(addr) ||
       /^fe80:/i.test(addr) ||
-      /^::1$/.test(addr) ||
-      /^::$/.test(addr);
+      /^::[10]$/.test(addr) ||
+      /^::$/.test(addr) ||
+      /^0/.test(addr);
 }
 
 async function errorIfHostnameResolvesToPrivateIp(options) {

core/server/services/oembed.js

@@ -101,8 +101,13 @@ class OEmbed {
         try {
             const cookieJar = new CookieJar();
             const response = await this.externalRequest(url, {cookieJar});
-            const html = response.body;
-            scraperResponse = await metascraper({html, url});
+
+            if (this.isIpOrLocalhost(response.url)) {
+                scraperResponse = {};
+            } else {
+                const html = response.body;
+                scraperResponse = await metascraper({html, url});
+            }
         } catch (err) {
             return Promise.reject(err);
         }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "4.13.0",
+  "version": "4.14.0",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",

test/api-acceptance/admin/oembed.test.js

@@ -126,6 +126,31 @@ describe('Oembed API', function () {
             should.exist(res.body.errors);
             res.body.errors[0].context.should.match(/insufficient metadata/i);
         });
+
+        it('errors when fetched url is an IP address', async function () {
+            const redirectMock = nock('http://test.com/')
+                .get('/')
+                .reply(302, undefined, {Location: 'http://0.0.0.0:8080'});
+
+            const pageMock = nock('http://0.0.0.0:8080')
+                .get('/')
+                .reply(
+                    200,
+                    '<html><head><title>TESTING</title></head><body></body></html>',
+                    {'content-type': 'text/html'}
+                );
+
+            const url = encodeURIComponent('http://test.com');
+            const res = await request.get(localUtils.API.getApiQuery(`oembed/?type=bookmark&url=${url}`))
+                .set('Origin', config.get('url'))
+                .expect('Content-Type', /json/)
+                .expect('Cache-Control', testUtils.cacheRules.private)
+                .expect(422);
+
+            pageMock.isDone().should.be.true();
+            should.exist(res.body.errors);
+            res.body.errors[0].context.should.match(/insufficient metadata/i);
+        });
     });
 
     describe('with unknown provider', function () {