Closed ghost closed 2 years ago
When a notification is received, and the context id is not a DSpace URL we afford to use a HEAD request to resolve. This creates a vulnerability for notifications to be received in which attempt malicious HEAD requests.
Potential server-side request forgery due to a user-provided value.
https://lgtm.com/rules/1513978414265/
To remedy this a configuration of a list of acceptable resolver base URLs should be added and used to validate the external context ids.
Resolved with: https://github.com/harvard-lts/DSpace/commit/11ba270d2fee3c9d05e4d17d0a029a2456cecc64
awoods
commented
2 years ago
When a notification is received, and the context id is not a DSpace URL we afford to use a HEAD request to resolve. This creates a vulnerability for notifications to be received in which attempt malicious HEAD requests.
Potential server-side request forgery due to a user-provided value.
https://lgtm.com/rules/1513978414265/
To remedy this a configuration of a list of acceptable resolver base URLs should be added and used to validate the external context ids.