Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit TitleExtractor to allow only Remark42 whitelisted domains #1681

Merged
merged 2 commits into from
Oct 11, 2023
Merged

Limit TitleExtractor to allow only Remark42 whitelisted domains #1681

merged 2 commits into from
Oct 11, 2023

Conversation

paskal
Copy link
Sponsor Collaborator

@paskal paskal commented Oct 10, 2023
edited
Loading

Allowed domains consist of REMARK_URL second-level domain (or whole IP in case it's IP like 127.0.0.1) and ALLOWED_HOSTS. That is needed to prevent Remark42 from asking arbitrary servers and storing the page title as the comment.PostTitle.

Previous behaviour allowed the caller of the API to create a comment with an arbitrary URL and learn the title of the page, which might be accessible to the server Remark42 is installed on but not to the user outside that network (CWE-918).

Resolves #1677.

@paskal paskal added the backend label Oct 10, 2023
@paskal paskal requested a review from umputun as a code owner October 10, 2023 20:35
@github-actions
Copy link

github-actions bot commented Oct 10, 2023
edited
Loading

Pull Request Test Coverage Report for Build 6475851841

  • 48 of 54 (88.89%) changed or added relevant lines in 2 files are covered.
  • 3 unchanged lines in 2 files lost coverage.
  • Overall coverage increased (+0.04%) to 84.282%
Changes Missing Coverage Covered Lines Changed/Added Lines %
backend/app/store/service/title.go 21 27 77.78%
Files with Coverage Reduction New Missed Lines %
backend/app/store/service/title.go 1 79.75%
backend/app/providers/telegram.go 2 87.88%
Totals Coverage Status
Change from base Build 6472903539: 0.04%
Covered Lines: 5850
Relevant Lines: 6941
💛 - Coveralls

@paskal
limit TitleExtractor to allow only Remark42 whitelisted domains
a5c4e68 
Allowed domains consist of `REMARK_URL` second-level domain (or whole IP in case it's IP like `127.0.0.1`) and `ALLOWED_HOSTS`. That is needed to prevent Remark42 from asking arbitrary servers and storing the page title as the comment.PostTitle.

Previous behaviour allowed the caller of the API to create a comment
with an arbitrary URL and learn the title of the page, which might be
accessible to the server Remark42 is installed on but not to the user
outside that network (CWE-918).
umputun
umputun reviewed Oct 10, 2023
View reviewed changes
Copy link
Owner

@umputun umputun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

solid job; just a few minor things

backend/app/cmd/server.go Outdated Show resolved Hide resolved
backend/app/cmd/server.go Show resolved Hide resolved
backend/app/cmd/server_test.go Show resolved Hide resolved
backend/app/store/service/title.go Show resolved Hide resolved
backend/app/store/service/title.go Outdated
}
allowed := false
for _, domain := range t.allowedDomains {
if strings.HasSuffix(u.Hostname(), domain) {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't it risky a little bit? I mean can it allow ab.example.com for allowed b.example.com?

Copy link
Sponsor Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit risky, however I see no way around for allowing case like example.org when remark42.example.com is used for Remark42 installation for comments on example.com. I think the solution here is outlining that risk in the documentation.

Also, the current case allowed requests to notexample.org if my domain is example.org (e.g. suffixes match): I've fixed that.

Copy link
Sponsor Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any other behaviour would be a breaking change. It's a small part of functionality so maybe a requirement for listing your domain(s) explicitly in AllowedDomains in case Remark42 runs on a separate domain is not bad.

I can alter the logic to get second-level domain only from REMARK_URL and use ALLOWED_HOSTS as-is, that seem to make sense.

@paskal
limit TitleExtractor to allow only Remark42 whitelisted domains
f0071ae 
Allowed domains consist of `REMARK_URL` second-level domain (or whole IP in case it's IP like `127.0.0.1`) and `ALLOWED_HOSTS`. That is needed to prevent Remark42 from asking arbitrary servers and storing the page title as the comment.PostTitle.

Previous behaviour allowed the caller of the API to create a comment
with an arbitrary URL and learn the title of the page, which might be
accessible to the server Remark42 is installed on but not to the user
outside that network (CWE-918).
@umputun
Copy link
Owner

umputun commented Oct 11, 2023

LGTM

@umputun umputun merged commit efceed6 into master Oct 11, 2023
3 checks passed
@umputun umputun deleted the paskal/CWE-918 branch October 11, 2023 04:34
@paskal paskal added this to the v1.13.0 milestone Mar 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@umputun umputun umputun left review comments

Assignees
No one assigned
Labels
backend
Projects
None yet
Milestone
v1.13.0
Development

Successfully merging this pull request may close these issues.

[CWE-918] Blind SSRF in /api/v1/comment
2 participants
@paskal @umputun