Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: SSRF vulnerability in TopicEmbed 

Block redirects when making the final request in TopicEmbed to prevent Server Side Request Forgery (SSRF)
This commit is contained in:
Krzysztof Kotlarek 2023-11-09 13:47:21 +11:00
parent 2ec2510517
commit 24cca10da7
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/models/topic_embed.rb
View File

@ -126,8 +126,8 @@ class TopicEmbed < ActiveRecord::Base
return if uri.blank? return if uri.blank?
begin begin
html = uri.read html = FinalDestination::HTTP.get(uri)
rescue OpenURI::HTTPError, Net::OpenTimeout rescue OpenURI::HTTPError, Net::OpenTimeout, FinalDestination::SSRFDetector::DisallowedIpError
return return
end end

13
spec/models/topic_embed_spec.rb
View File

@ -299,6 +299,19 @@ RSpec.describe TopicEmbed do
response = TopicEmbed.find_remote(url) response = TopicEmbed.find_remote(url)
expect(response.title).to eq("Through the Looking Glass") expect(response.title).to eq("Through the Looking Glass")
end end
it "doesn't follow redirect when making request" do
FinalDestination.any_instance.stubs(:resolve).returns(URI("https://redirect.com"))
stub_request(:get, "https://redirect.com/").to_return(
status: 301,
body: "<title>Moved permanently</title>",
headers: {
"Location" => "https://www.example.org/",
},
)
response = TopicEmbed.find_remote(url)
expect(response.title).to eq("Moved permanently")
end
end end
context 'with post with allowed classes "foo" and "emoji"' do context 'with post with allowed classes "foo" and "emoji"' do