Redo safety checks for instance_info

Using the `ip` feature, and some clever use of `Url::set_host` and `Url::host_str`

src/api/instance_info.rs

@@ -1,3 +1,5 @@
+use std::net::ToSocketAddrs;
+
 use rocket::serde::json::Json;
 use serde::{Deserialize, Serialize};
 use url::Url;
@@ -79,16 +81,28 @@ async fn get_info_from_manifest(url: Url) -> Option<[Option<String>; 3]> {
 
 #[get("/instance_info/<secure>/<host>")]
 pub async fn instance_info(secure: bool, host: &str) -> Option<Json<InstanceInfo>> {
-    let mut url = Url::parse(&format!(
+    let mut url = Url::parse(if secure {
-        "http{}://{host}/manifest.json",
+        "https://temp.host/manifest.json"
-        if secure { "s" } else { "" }
+    } else {
-    ))
+        "http://temp.host/manifest.json"
+    })
     .ok()?;
-    // I'm not sure if you can sneak in a path, but better safe than sorry
+    url.set_host(Some(host)).ok()?; // Using this to catch malformed hosts
-    // I don't really care about username/password/port, those are fine
+    let host = url.host_str()?; // Shadow the original host in case things were filtered out
-    if url.path() != "/manifest.json" {
+
+    // Check if the host is globally routable.
+    // This should help filter out a bunch of invalid or potentially malicious requests
+    let host_with_port = format!("{host}:{}", url.port_or_known_default()?);
+    if !host_with_port
+        .to_socket_addrs()
+        .ok()?
+        .next()?
+        .ip()
+        .is_global()
+    {
         return None;
     }
+
     let [name, short_name, icon_url] = get_info_from_manifest(url.clone())
         .await
         .unwrap_or_default();

src/main.rs

@@ -1,3 +1,4 @@
+#![feature(ip)]
 #[macro_use]
 extern crate rocket;