Fix code scanning alert - Full server-side request forgery - rated CRITICAL (partially solved)

[niccokunzmann]

The requests to servers to obtain the ICS files can be used to direct to any source - this is generally intended but might be a problem in certain settings.

Example

A problematic example setting is that the service can be publicly accessible but behind a firewall. Other services run behind the same firewall. Through OWC, these services can be accessed via a GET request by the public without the firewall checking the requests.

Code

open-web-calendar/app.py

Line 124 in 99f554f

return requests.get(url, headers=DEFAULT_REQUEST_HEADERS).content

Implementation Ideas

Requests should be restricted:

• allow only http, https, ftp - add this to configuration though ENV variables
• Restriction to public IP addresses/domains/...
  • how to implement this, especially with IPv6?
  • This is not always desired. How to make it configurable?

Related

Tracking issue for:

• https://github.com/niccokunzmann/open-web-calendar/security/code-scanning/4

See also

• SSRF cheat sheet case 2
• [SECURITY] Cross-Site-Scripting Attack from calendar sources #165

---

We're using Polar.sh so you can upvote and help fund this issue. We receive the funding once the issue is completed & confirmed by you. Thank you in advance for helping prioritize & fund our work.

[niccokunzmann]

#252 adds a docker configuration to prevent SSRF attacks using a Tor proxy. (included in v1.23)
The example runs at https://tor.open-web-calendar.hosted.quelltext.eu/
It seems that users would normally just pull the image and be unaware of the attack vector. It might be nice to prevent these kinds of problems in a more generic way.

Possible solutions:

• include a proxy that checks the requests (e.g. a Python socks5 proxy)
• use advocate (not updated any more) to restrict access

Also, some settings might just want to run it behind a firewall accessing just the local network. Configuration needs to be possible to not restrict usage.

[vmario89]

atm i am working to allow only specific domains using owc because i only want to embed calendars from specific ressources and i dont want to share the OWC service to the whole world. I messed with different things like IP allowance, auth_basic for locations, etc. in web server, but thats not the best idea so far ..

What about parsing the request header "Access-Control-Allow-Origin"? Like
add_header 'Access-Control-Allow-Origin' 'https://a-trusted-host.org https://another-cool-page.de https://yes-no-maybe.com' always;

We could use that information from nginx/apache/other web servers configuration to check, if the given URLs are whitelisted by the header. If not, we do not parse them by exluding them in app.py:

147     for parameter in query:
148         # get a list of arguments
149         # see https://web.archive.org/web/20230325034825/https://werkzeug.palletsprojects.com/en/0.14.x/datastructures/
150         value = query.getlist(parameter, None)
151         if len(value) == 1:
152             value = value[0]
153         if parameter == "url":
154             for url in value:
155                 if url.startswith("https://some-sample-url-from-a-header"):
156                     specification[parameter] = value
157                 else:
158                     print("URL {} not allowed!".format(url))
159         else:
160             specification[parameter] = value
161     return specification

not sure if that helps

[niccokunzmann]

Thanks for answering - I think that is possible to do.

For using my time, I think it is best to configure a proxy that does the filtering. I like to have some kind of instructions in the README to allow people to easily setup a proxy that filters. My thought is that filtering is reliably done by different proxy implementations and pulling this kind of logic into the OWC will result in small mistakes made, less features and less configuration options than using a different software that can do the job as expected, tested and reliable. My feeling is that with FOSS software, we can compose a solution from different sources and do not have a recreate mediocre home-made solutions. So, I would go for

• create a tutorial of how to filter the possible requested calendars with a proxy
• setup this tutorial on my server (as was done with Tor proxy)

Another solution might be this:

• create/use a library to parse a filter configuration
• create documentation to filter using the OWC

See also:

• https://serverfault.com/questions/743483/transparent-http-https-domain-filtering-proxy