search

Automattic / wordpress-activitypub

ActivityPub for WordPress
https://wordpress.org/plugins/activitypub/
MIT License
465 stars 67 forks source link

wp_http_validate_url may be misused, blocking privave subnets. #718

Open erenfro opened 3 months ago

erenfro commented 3 months ago

Quick summary

I discovered this issue in regards to the use of the function check_url, because when trying to add a "friend" that was linked to my own Friendica and later Mastodon website, run on the very same cluster of servers running my Wordpress site, that no traffic ever left Wordpress or my webserver specifically while resolving the mastodon's domain name to a local internal subnet IP. When changing this to an external internet address IP, however, things magically worked.

https://github.com/Automattic/wordpress-activitypub/blob/7ae3e7383d9c3fa1530940f7345b90b8e2bef642/includes/functions.php#L78

This call here, is intended for very specific use-cases, and I fear this may be one of the specific use cases this may or may not be legitimately useful for, as it's expecting a very specific protocol and only such.

Per a case I opened about this at Wordpress I feel this may be a case where this is probably hindering more than it should be.

Steps to reproduce

Setup any ActivityPub provider service on a local private subnet IP range, and get this plugin to try to interface with it.

What you expected to happen

It should validate and attempt to communicate with the site with the expected protocols defined.

What actually happened

It gets rejected without ever trying.

Impact

All

Available workarounds?

Yes, difficult to implement

Logs or notes

The only way to get around this issue that I've found is to create a custom plugin that runs add_filter() and provides a host-by-host allow list specifically getting around the private subnet blocklist. So it has to be very specific.

pfefferle commented 3 months ago

Hey @erenfro thanks for your investigations.

I think your case is very special and therefore it should be handled as an exception. As @dd32 already mentioned in the TRAC ticket, these checks are to prevent SSRF attacks.

See a CVE from Mastodon from the last year: https://scumjr.github.io/2023/10/12/from-ssrf-to-rce-on-mastodon-cve-2023-42450/

janboddez commented 2 weeks ago

Also ran into this before.

I think if you use wp_http_validate_url() or one of the wp_safe_remote* or even wp_safe_redirect() functions WordPress core "blocks" calls to URLs it thinks are hosted on the same machine.

There's a filter through which you can mark hosts as "external," though, and then they should work just fine.

So I don't think (?) this is a plugin issue. (Just the $0.02 of someone who's been "fortunate" enough to have run into a similar problem in the past.)