Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security fix: Server-Side Request Forgery #2434

Merged
merged 2 commits into from
Dec 12, 2024

Conversation

Ludy87
Copy link
Contributor

@Ludy87 Ludy87 commented Dec 11, 2024

Description

This PR enhances the isURLReachable method in the GeneralUtils class by:

  1. Adding validation to restrict allowed protocols to http and https.
  2. Introducing a helper method, isLocalAddress, to detect and exclude local addresses such as:
    • 127.0.0.1, localhost, and ::1 (loopback addresses)
    • Private IPv4 ranges (192.168.x.x, 10.x.x.x, 172.16.x.x - 172.31.x.x)
    • Link-local IPv6 addresses (fe80::/10).
  3. Improving exception handling to return false for all invalid or unreachable URLs.

https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-4v4c-9hpr-93vx

Checklist

  • I have read the Contribution Guidelines
  • [] I have performed a self-review of my own code
  • I have attached images of the change if it is UI based
  • I have commented my code, particularly in hard-to-understand areas
  • If my code has heavily changed functionality I have updated relevant docs on Stirling-PDFs doc repo
  • My changes generate no new warnings
  • I have read the section Add New Translation Tags (for new translation tags only)

@Ludy87 Ludy87 requested a review from Frooodle as a code owner December 11, 2024 20:10
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Dec 11, 2024
@github-actions github-actions bot added the Java Pull requests that update Java code label Dec 11, 2024
@Ludy87
Copy link
Contributor Author

Ludy87 commented Dec 11, 2024

@summerxxoo can you confirm that there are no other problems with SSRF?

@Frooodle Frooodle merged commit c6980e9 into Stirling-Tools:main Dec 12, 2024
6 checks passed
@summerxxoo
Copy link

@summerxxoo can you confirm that there are no other problems with SSRF?

Thank you very much for your timely response to the security risk. I have confirmed that it has been completely repaired

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Java Pull requests that update Java code size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants