Closed aydinnyunus closed 5 months ago
Hello,
thanks for the issue.
For ::1
, it is allowed only for development, not in production. Cf https://github.com/cozy/cozy-stack/blob/master/pkg/safehttp/client.go#L84-L93
For 169.254.168.254 (and other link-local addresses), a fix is coming.
Hi again,
I mean if it is not in development mode. IsPrivate function returns it is not private in IPV6.
Yes, that's why we are using IsLoopback
to block ::1
in production.
Hi Team,
I found SSRF Vulnerability on Cozy-Stack Package. Also you can use ::1 IPV6 version to bypass it.
You can find the POC on the following Playground link. The IsPrivate function did not check all of the internal URLs. So you can use IsLinkLocalUnicast, IsLinkLocalMulticast, IsLoopback functions to do that.
Impact
169.254.169.254 is one of the AWS Metadata Server IP address and it should not be accessed by the external users. But If a web server uses the isPrivate function it can be bypassed.