wordpress-activitypub icon indicating copy to clipboard operation
wordpress-activitypub copied to clipboard

Published 20 hours ago verified publisher icon Automattic

wp_http_validate_url may be misused, blocking privave subnets.

Open erenfro opened this issue 10 months ago • 2 comments

Quick summary

I discovered this issue in regards to the use of the function check_url, because when trying to add a "friend" that was linked to my own Friendica and later Mastodon website, run on the very same cluster of servers running my Wordpress site, that no traffic ever left Wordpress or my webserver specifically while resolving the mastodon's domain name to a local internal subnet IP. When changing this to an external internet address IP, however, things magically worked.

https://github.com/Automattic/wordpress-activitypub/blob/7ae3e7383d9c3fa1530940f7345b90b8e2bef642/includes/functions.php#L78

This call here, is intended for very specific use-cases, and I fear this may be one of the specific use cases this may or may not be legitimately useful for, as it's expecting a very specific protocol and only such.

Per a case I opened about this at Wordpress I feel this may be a case where this is probably hindering more than it should be.

Steps to reproduce

Setup any ActivityPub provider service on a local private subnet IP range, and get this plugin to try to interface with it.

What you expected to happen

It should validate and attempt to communicate with the site with the expected protocols defined.

What actually happened

It gets rejected without ever trying.

Impact

All

Available workarounds?

Yes, difficult to implement

Logs or notes

The only way to get around this issue that I've found is to create a custom plugin that runs add_filter() and provides a host-by-host allow list specifically getting around the private subnet blocklist. So it has to be very specific.

erenfro avatar Apr 05 '24 05:04 erenfro

Hey @erenfro thanks for your investigations.

I think your case is very special and therefore it should be handled as an exception. As @dd32 already mentioned in the TRAC ticket, these checks are to prevent SSRF attacks.

See a CVE from Mastodon from the last year: https://scumjr.github.io/2023/10/12/from-ssrf-to-rce-on-mastodon-cve-2023-42450/

pfefferle avatar Apr 05 '24 06:04 pfefferle

Also ran into this before.

I think if you use wp_http_validate_url() or one of the wp_safe_remote* or even wp_safe_redirect() functions WordPress core "blocks" calls to URLs it thinks are hosted on the same machine.

There's a filter through which you can mark hosts as "external," though, and then they should work just fine.

So I don't think (?) this is a plugin issue. (Just the $0.02 of someone who's been "fortunate" enough to have run into a similar problem in the past.)

janboddez avatar Jun 20 '24 13:06 janboddez

I will close this for now, because I do not think that this is an issue of the plugin.

pfefferle avatar Sep 23 '24 09:09 pfefferle