Embed icon indicating copy to clipboard operation
Embed copied to clipboard
verified publisher icon oscarotero

SSRF protection

Open bbeausej opened this issue 5 years ago • 2 comments

When using the Embed library, validation of the input URLs to fetch from is left to the implementor. This means that a naive implementation of the library would be vulnerable to SSRF attacks which can lead to internal network compromise or intrusion on the server.

For example, given the (extremely naive but still common) following snippet:

use Embed\Embed;
$embed = new Embed();
$url = $_REQUEST['url'];

if (filter_var($url, FILTER_VALIDATE_URL)) {
  $info = $embed->get($url);
  _...snip..._
}

The above is very vulnerable to SSRF attacks where you external users can feed valid URLs like:

  • http://169.254.169.254/latest/meta-data/ (AWS instance metadata server)
  • http://localhost (carry port scanning with http://localhost:XXXX)

I suggest:

  • Add mention / warning in the documentation that it's up to developer to validate the URL input (not only format but also targets!)
  • Modifythe CurlDispatcher implementation to leverage https://packagist.org/packages/j0k3r/safecurl or equivalent to mitigate SSRF-type attacks ,support blacklists, whitelist and most dns pinning attacks.

bbeausej avatar Aug 27 '20 02:08 bbeausej

That's a good idea Is safecurl library compatible with curl_multi_*? Instead modify CurlDispatcher, I'd rather create a new SafeCurlDispatcher, so the user can decide which one to use.

I'm a bit bussy right now. Do you want to work on a PR with this?

oscarotero avatar Aug 27 '20 11:08 oscarotero

I'm not sure SafeCurl supports multi directly. I'll try to give it a spin but it might take me a little while!

bbeausej avatar Aug 27 '20 19:08 bbeausej