Summary
A Server-Side request forgery in IssueProxyResourceService::getMdImageByUrl allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS.
Details
Metersphere's IssueProxyResourceController loads a /md/get/url endpoint passing a user-controlled url GET parameter (1) to getMdImageByUrl (2).
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/test-track/backend/src/main/java/io/metersphere/controller/IssueProxyResourceController.java
@RestController
@RequestMapping(value = "/resource")
public class IssueProxyResourceController {
@Resource
IssueProxyResourceService issueProxyResourceService;
@GetMapping(value = "/md/get/url")
public ResponseEntity<byte[]> getFileByUrl(@RequestParam ("url") String url, @RequestParam (value = "platform", required = false) String platform, // 1
@RequestParam ("project_id") String projectId, @RequestParam ("workspace_id") String workspaceId) {
return issueProxyResourceService.getMdImageByUrl(url, platform, projectId, workspaceId); // 2
}
}
getMdImageByUrl then passes url to RestTemplate's exchange method in 3, which will make a request and return the contents of url.
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/test-track/backend/src/main/java/io/metersphere/service/wapper/IssueProxyResourceService.java#L32
public ResponseEntity<byte[]> getMdImageByUrl(String url, String platform, String projectId, String workspaceId) {
if (url.contains("md/get/url")) {
MSException.throwException(Translator.get("invalid_parameter"));
}
...
return restTemplate.exchange(url, HttpMethod.GET, null, byte[].class); // 3
}
PoC
curl -X GET 'http://127.0.0.1:8081/resource/md/get/url?url=https://securitylab.github.com'
Patches
The vulnerability has been fixed in v2.5.0.
- d0f95b5: Restrict the path used by
RestTemplate.
Workarounds
It is recommended to upgrade the version to v2.5.0.
For more information
If you have any questions or comments about this advisory, please open an issue.
Summary
A Server-Side request forgery in
IssueProxyResourceService::getMdImageByUrlallows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS.Details
Metersphere's
IssueProxyResourceControllerloads a/md/get/urlendpoint passing a user-controlledurlGET parameter (1) togetMdImageByUrl(2).getMdImageByUrlthen passesurltoRestTemplate'sexchangemethod in3, which will make a request and return the contents ofurl.PoC
curl -X GET 'http://127.0.0.1:8081/resource/md/get/url?url=https://securitylab.github.com'Patches
The vulnerability has been fixed in v2.5.0.
RestTemplate.Workarounds
It is recommended to upgrade the version to v2.5.0.
For more information
If you have any questions or comments about this advisory, please open an issue.