Insecure Image proxy

[phit]

repro:

• embed an image hosted via http on ore

currently: image will simply not be rendered on ore and stripped from the page, on the forum post you will get a mixed content warning due to http resources on a https page

expected: insecure images should be passed through a proxy like camo for all user hosted content https://github.com/atmos/camo

fyi this also leads to bypassing discourses build in image proxy, which would usually avoid mixed content on the forums

[lol768]

This should be implemented for sure, but it's difficult to do securely. Using something established like camo is probably best, but regardless of how this is implemented ensure that:

• The resolved IP is checked to ensure it is a publicly routable IP (i.e. doesn't fall into loopback range or private address spaces).
• This should work with both v4 and v6 addresses.
  • Be sure that IPv4-mapped IPv6 addresses are correctly handled.
• The system needs to make 100% sure that the resolved IP is the same one that will be used to fetch the image - consider round-robin DNS scenarios where multiple A/AAAA records exist.
• If redirects (via the Location header) are followed, the above needs to be rechecked. Might be easier to ignore redirects.
• Only whitelisted MIME types are allowed to be fetched, only whitelisted MIME types should ever be returned in a response. Examples: image/png, image/jpeg
  • Be careful with svg that you haven't opened up a CSP bypass in the event of being able to insert a <script> (in other words make sure the image proxy is not whitelisted in script-src).
• Images should be served with X-Content-Type-Options=nosniff for dumb browsers.
• CSP header should be updated to only whitelist the image proxy.
• For extra security, consider using a separate domain to serve these images.

Deploying this can also help to prevent Ore being used as a conduit for carrying out CSRF attacks.