fix: validate upload proxy target URL to prevent SSRF abuse#204
Open
MD-Mushfiqur123 wants to merge 1 commit into
Open
fix: validate upload proxy target URL to prevent SSRF abuse#204MD-Mushfiqur123 wants to merge 1 commit into
MD-Mushfiqur123 wants to merge 1 commit into
Conversation
The upload-binary endpoint accepts a user-supplied x-proxy-target-url and performs a server-side fetch. Without validation, this creates an SSRF risk — an attacker could point the proxy at internal services. Fix by requiring HTTPS and rejecting requests to internal/reserved IP ranges (RFC 1918, localhost, link-local).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
/api/upload-binaryand/api/v1/upload-binaryendpoints accept ax-proxy-target-urlfield from client form data and perform a server-side fetch to that URL. Since the value originates from client-controlled input, an attacker could set it to an internal address (e.g.,http://169.254.169.254/for cloud metadata,http://localhost:8080/for internal services) and abuse the server as an open relay.Fix
Added
isUnsafeTarget()validation to both upload-binary routes that:10.x.x.x,172.16-31.x.x,192.168.x.x), link-local (169.254.x.x), loopback (127.x.x.x,::1), andlocalhostInvalid URLs return HTTP 400 with
"Invalid or unsafe proxy target URL"instead of being forwarded.Impact
Fixes #162