Permalink
Show file tree
Hide file tree
1 comment
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
ssrf: External Inline Images
This mitigates an SSRF security vulnerability reported by [Talat Mehmood](https://twitter.com/Blackbatsecuri1) where we do not check if the src URL for external inline images contain a valid image extension when displaying. This means if someone puts something like `<img src="mymalicioussite.com/badscript.js">` in the body of their message, when someone clicks Show Images or when the ticket is printed the server will call the src URL to get the "image" data for display. This is a problem as this could load malicious code/scripts in the browser. This adds a new setting called `Allow External Images` and if Disabled we will not allow any external images in Threads. If this setting is Enabled (default), we will only allow `<img>` src URLs with valid image extensions (`png`,`jpg`,`jpeg`,`gif`).
- Loading branch information
Showing
6 changed files
with
71 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
d98c2d0There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
The issue with a SSRF is not that an attacker can load malicious script. The issue is that a request is made by the server. The attacker can still add an appropropiate extention and get internal IP of the server, or call an internal ES server, aws endpoint protected by firewall, sometime even a file from the filesystem of the server.
The filter in itself doesn't seems really robust neither (but didn't dig into it).
What happens with url like https://www.example.com/evil-script.js#legit.jpg ?