Domain resolution issue affecting topic embeds

angus · April 22, 2024, 7:25am

There is possibly a domain resolution issue affecting topic embeds.

The topic embed system relies on FinalDestination to resolve topic embed urls (see here).
FinalDestination resolves the hostname of a url to an IP via SSRFDetector (see here)
FinalDestination then sends the uri to Excon for the actual request (see here).

This means that some topic embed urls, for example

"https://opensource.org/blog/osi-response-to-ntia"

end up being sent to Excon for a GET request like so:

"https://[2604:a880:800:a1::2f0:a001]/blog/osi-response-to-ntia"

This request will time out. An Excon.get of the original URL will not.

david · April 22, 2024, 9:39am

It seems ok here on Meta:

From your description, my guess would be that your server is resolving ipv6 records when making DNS lookups (we use getaddrinfo for that). But then when attempting to connect to them, it’s failing.

That might be because it tries the ip6 address, fails, and then falls back to the ip4 address. We don’t currently have that kind of fallback logic in FinalDestination#resolve:

github.com

discourse/discourse/blob/b3f119231216d0ddad384960380f335a9f65e8e0/lib/final_destination.rb#L256-L257


      
          # This technique will only use the first resolved IP
          # TODO: Can we standardise this by using FinalDestination::HTTP?

Topic		Replies	Views
OneBox – problems with Vimeo and Streamable embeds support	4	1166	June 24, 2023
FinalDestination::SSRFDetector support	4	145	March 25, 2024
Referer embeding problems - x does not match x support	6	591	January 19, 2022
One of TopicEmbed.import spec fails with Ruby 3 dev	2	470	October 10, 2021
Twitter embeds have broken support	28	3383	July 8, 2020

Domain resolution issue affecting topic embeds

Related Topics