-
-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server-Side Request Forgery <iframe src='file:///etc/passwd'> (in version 6.3.0) #261
Comments
Hello @etsms, Thanks for this well-written issue! It's already on my TODO list 👍 AFAIK, it would be possible to check each requests done by Google Chrome and prevent loading "unsafe" ones. |
@gulien - great to hear! Thanks for the update. Looking forward to testing again. |
@gulien - Question for ya... Our security team is wondering about a timeline for this patch. Do you or the gotenburg team have a timeline for this? |
No because I’m mostly working on Gotenberg on my free time so.. Anyway, Gotenberg should always be called from a trusted source 🤔 |
Is this not mitigated by the fact that, that the process runs inside of the docker container? Which has no access to anything outside of the container? |
@serge-melis yes exactly. I had to prove to our security teams that it lives in a container and is short-lived. I was able to reduce the criticality of the finding by communicating that much. However, it'll stay a vulnerability until the software is patched (or updated) with a feature to disable local file navigation in the chrome driver (eg. no access to the etc/passwords path). So that's good news. As @gulien said earlier, its not (should not) publicly accessible and the client/requesters should be known and authorized. So the risk is pretty low at this point. BUT - a savvy hacker may find away around those other controls and ultimately pull/read sensitive information from the container. Hypothetical.... but this is the way security folks think. I'm certainly not a hacker pro. |
CVE-2021-23345 was assigned to this issue. |
Wow, that's an interesting one :) |
Expected Behavior
Current Behavior
Possible Solution
The use of server-side requests must be limited to specific scenarios required by the application and servers must be hardened to only allow those requests. SSRF can be remediated using a variety of standard web application protections, such as:
Steps to Reproduce (for bugs)
Context
Your Environment
The text was updated successfully, but these errors were encountered: