[SSRF] CVE-2023-27163
lvitti opened this issue · comments
Contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
https://nvd.nist.gov/vuln/detail/CVE-2023-27163
any update on this ?
There's no decent protection for such feature. Even with every single suspicious URL filtered out, one could use a redirection to hit localhost anyways.
If we want to keep such feature (which i do), the only solution is to make it admin-only (ie. enter the master key).
Same could go for the whole "Settings" tab imho.
Thank you @ZanyMonk , that is true, its quite complicated to implement a protection within a service, its a way easier to sandbox the service itself with a properly defined firewall rules. One of the options: separate project on the cloud provider, another use containers like Docker, LXC, etc with properly isolated network.
This issue was already discussed in this feature request: #79 (comment)
Nevertheless, my plan is to introduce a command line parameter for the service that enables forwarding, so, the feature would be disabled by default. This should at least solve a problem: anyone w/o real understanding of the security implications running Request Baskets service with default settings w/o proper network isolation and therefore opening a back door to their internal network infrastructure.