-
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix code scanning alert - Full server-side request forgery - rated CRITICAL (partially solved) #250
Comments
This contributes to setup without SSRF. See #250
This contributes to setup without SSRF. See #250
#252 adds a docker configuration to prevent SSRF attacks using a Tor proxy. (included in v1.23) Possible solutions:
Also, some settings might just want to run it behind a firewall accessing just the local network. Configuration needs to be possible to not restrict usage. |
atm i am working to allow only specific domains using owc because i only want to embed calendars from specific ressources and i dont want to share the OWC service to the whole world. I messed with different things like IP allowance, auth_basic for locations, etc. in web server, but thats not the best idea so far .. What about parsing the request header "Access-Control-Allow-Origin"? Like We could use that information from nginx/apache/other web servers configuration to check, if the given URLs are whitelisted by the header. If not, we do not parse them by exluding them in
not sure if that helps |
Thanks for answering - I think that is possible to do. For using my time, I think it is best to configure a proxy that does the filtering. I like to have some kind of instructions in the README to allow people to easily setup a proxy that filters. My thought is that filtering is reliably done by different proxy implementations and pulling this kind of logic into the OWC will result in small mistakes made, less features and less configuration options than using a different software that can do the job as expected, tested and reliable. My feeling is that with FOSS software, we can compose a solution from different sources and do not have a recreate mediocre home-made solutions. So, I would go for
Another solution might be this:
See also: |
The requests to servers to obtain the ICS files can be used to direct to any source - this is generally intended but might be a problem in certain settings.
Example
A problematic example setting is that the service can be publicly accessible but behind a firewall. Other services run behind the same firewall. Through OWC, these services can be accessed via a GET request by the public without the firewall checking the requests.
Code
open-web-calendar/app.py
Line 124 in 99f554f
Implementation Ideas
Requests should be restricted:
Related
Tracking issue for:
See also
We're using Polar.sh so you can upvote and help fund this issue. We receive the funding once the issue is completed & confirmed by you. Thank you in advance for helping prioritize & fund our work.
The text was updated successfully, but these errors were encountered: