Skip to content

Security: IP validation missing for Server model #13

New issue
New issue
Open
Open
Security: IP validation missing for Server model#13
Labels
lang:phpPHP/Laravel
@Snider

Description

@Snider
Snider
opened on Feb 1, 2026

Description

The Server model accepts any string for the 'ip' field without validation for valid IP addresses or hostnames.

Location

  • File: src/View/Modal/Admin/Servers.php (validation rules, lines 87-92)
  • File: src/Models/Server.php (fillable, line 49)

Issue

The validation rules only check:

  • ip => required|string|max:255

This allows:

  1. Internal/private IP addresses (127.0.0.1, 10.x.x.x, 192.168.x.x)
  2. Cloud metadata endpoints (169.254.169.254)
  3. Local hostnames that resolve to internal services
  4. Malformed input that could cause issues

This could enable SSRF attacks if the SSH connection is used to probe internal infrastructure.

Recommendation

  1. Add IP/hostname validation (ip or domain format)
  2. Block connections to private IP ranges and localhost
  3. Block connections to cloud metadata endpoints
  4. Consider allowlisting specific IP ranges or requiring domain verification
  5. Validate DNS resolution before saving

Severity

Medium - Could enable internal network scanning via SSRF

Metadata

Metadata

Assignees

No one assigned

    Labels

    lang:phpPHP/Laravel

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions