6abc
commented
8 months ago any update on this ?
Open lvitti opened 11 months ago
6abc
commented
8 months ago any update on this ?
ZanyMonk
commented
6 months ago There's no decent protection for such feature. Even with every single suspicious URL filtered out, one could use a redirection to hit localhost anyways.
If we want to keep such feature (which i do), the only solution is to make it admin-only (ie. enter the master key). Same could go for the whole "Settings" tab imho.
darklynx
commented
6 months ago Thank you @ZanyMonk , that is true, its quite complicated to implement a protection within a service, its a way easier to sandbox the service itself with a properly defined firewall rules. One of the options: separate project on the cloud provider, another use containers like Docker, LXC, etc with properly isolated network.
This issue was already discussed in this feature request: https://github.com/darklynx/request-baskets/issues/79#issuecomment-1586379590
Nevertheless, my plan is to introduce a command line parameter for the service that enables forwarding, so, the feature would be disabled by default. This should at least solve a problem: anyone w/o real understanding of the security implications running Request Baskets service with default settings w/o proper network isolation and therefore opening a back door to their internal network infrastructure.
Contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
https://nvd.nist.gov/vuln/detail/CVE-2023-27163
https://notes.sjtu.edu.cn/s/MUUhEymt7
https://github.com/entr0pie/CVE-2023-27163