Add SSRF protection.

Author: SebastianStehle

backend/extensions/Squidex.Extensions/Actions/Webhook/WebhookPlugin.cs

@@ -7,6 +7,7 @@
 
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Squidex.Infrastructure.Http;
 using Squidex.Infrastructure.Plugins;
 
 namespace Squidex.Extensions.Actions.Webhook;
@@ -15,6 +16,9 @@ public sealed class WebhookPlugin : IPlugin
 {
     public void ConfigureServices(IServiceCollection services, IConfiguration config)
     {
+        services.AddHttpClient("FlowClient")
+            .EnableSsrfProtection();
+
         services.AddFlowStep<WebhookFlowStep>();
 #pragma warning disable CS0618 // Type or member is obsolete
         services.AddRuleAction<WebhookAction>();

backend/src/Squidex.Infrastructure/Http/SsrfExtensions.cs

@@ -0,0 +1,59 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Net;
+using System.Net.Sockets;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace Squidex.Infrastructure.Http;
+
+public static class SsrfExtensions
+{
+    public static IHttpClientBuilder EnableSsrfProtection(this IHttpClientBuilder builder )
+    {
+        builder.AddHttpMessageHandler<SsrfProtectionHandler>();
+        builder.ConfigurePrimaryHttpMessageHandler(services =>
+        {
+            var options = services.GetService<IOptions<SsrfOptions>>()?.Value ?? new ();
+
+            return new SocketsHttpHandler
+            {
+                ConnectCallback = options.EnableDnsRebindingProtection
+                    ? CreateSecureConnectCallback(options)
+                    : null,
+                AllowAutoRedirect = options.AllowAutoRedirect,
+            };
+        });
+
+        return builder;
+    }
+
+    private static Func<SocketsHttpConnectionContext, CancellationToken, ValueTask<Stream>> CreateSecureConnectCallback(SsrfOptions options)
+    {
+        return async (context, cancellationToken) =>
+        {
+            var host = context.DnsEndPoint.Host;
+
+            // Re-validate DNS to prevent DNS rebinding attacks
+            var addresses = await Dns.GetHostAddressesAsync(host, cancellationToken);
+
+            foreach (var address in addresses)
+            {
+                if (SsrfHelper.IsPrivateOrReservedIp(address, options.BlockedIpAddresses))
+                {
+                    throw new HttpRequestException($"Connection to private IP blocked: {address}");
+                }
+            }
+
+            var socket = new Socket(SocketType.Stream, ProtocolType.Tcp);
+            await socket.ConnectAsync(context.DnsEndPoint, cancellationToken);
+
+            return new NetworkStream(socket, ownsSocket: true);
+        };
+    }
+}

backend/src/Squidex.Infrastructure/Http/SsrfHelper.cs

@@ -0,0 +1,66 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Net;
+using System.Net.Sockets;
+
+#pragma warning disable SA1025 // Code should not contain multiple whitespace in a row
+
+namespace Squidex.Infrastructure.Http;
+
+public static class SsrfHelper
+{
+    public static bool IsPrivateOrReservedIp(IPAddress ip, HashSet<IPAddress>? blackList)
+    {
+        if (IPAddress.IsLoopback(ip))
+        {
+            return true;
+        }
+
+        if (ip.AddressFamily == AddressFamily.InterNetwork)
+        {
+            var bytes = ip.GetAddressBytes();
+
+            var isBlocked =
+                (bytes[0] == 10) ||                                         // 10.0.0.0/8
+                (bytes[0] == 172 && bytes[1] >= 16 && bytes[1] <= 31) ||    // 172.16.0.0/12
+                (bytes[0] == 192 && bytes[1] == 168) ||                     // 192.168.0.0/16
+                (bytes[0] == 169 && bytes[1] == 254) ||                     // link-local
+                (bytes[0] == 0) ||                                          // 0.0.0.0/8
+                (bytes[0] >= 224 && bytes[0] <= 239) ||                     // 224.0.0.0/4 multicast
+                (bytes[0] >= 240);                                          // 240.0.0.0/4 reserved
+
+            if (isBlocked)
+            {
+                return true;
+            }
+        }
+
+        if (ip.AddressFamily == AddressFamily.InterNetworkV6)
+        {
+            var bytes = ip.GetAddressBytes();
+
+            var isBlocked =
+                ip.IsIPv6LinkLocal ||                                       // fe80::/10
+                ip.IsIPv6SiteLocal ||                                       // fec0::/10 (deprecated)
+                ip.IsIPv6Multicast ||                                       // ff00::/8
+                ((bytes[0] & 0xfe) == 0xfc);                                // fc00::/7 - Unique local
+
+            if (isBlocked)
+            {
+                return true;
+            }
+        }
+
+        if (blackList is {  Count: > 0 })
+        {
+            return blackList.Contains(ip);
+        }
+
+        return false;
+    }
+}

backend/src/Squidex.Infrastructure/Http/SsrfOptions.cs

@@ -0,0 +1,26 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Net;
+
+namespace Squidex.Infrastructure.Http;
+
+public class SsrfOptions
+{
+    public HashSet<string> AllowedSchemes { get; set; } =
+        new HashSet<string>(
+            ["http", "https"],
+            StringComparer.OrdinalIgnoreCase);
+
+    public HashSet<IPAddress> BlockedIpAddresses { get; set; } =
+        new HashSet<IPAddress>(
+            [IPAddress.Parse("169.254.169.254")]);
+
+    public bool AllowAutoRedirect { get; set; }
+
+    public bool EnableDnsRebindingProtection { get; set; } = true;
+}

backend/src/Squidex.Infrastructure/Http/SsrfProtectionHandler.cs

@@ -0,0 +1,50 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.Net;
+using System.Net.Sockets;
+using Microsoft.Extensions.Options;
+
+namespace Squidex.Infrastructure.Http;
+
+public class SsrfProtectionHandler(IOptions<SsrfOptions> options) : DelegatingHandler
+{
+    protected override async Task<HttpResponseMessage> SendAsync(
+        HttpRequestMessage request,
+        CancellationToken cancellationToken)
+    {
+        if (request.RequestUri == null)
+        {
+            throw new HttpRequestException("Request URI is null");
+        }
+
+        if (!options.Value.AllowedSchemes.Contains(request.RequestUri.Scheme))
+        {
+            throw new HttpRequestException($"Scheme '{request.RequestUri.Scheme}' is not allowed");
+        }
+
+        var host = request.RequestUri.Host;
+        try
+        {
+            var addresses = await Dns.GetHostAddressesAsync(host, cancellationToken);
+
+            foreach (var address in addresses)
+            {
+                if (SsrfHelper.IsPrivateOrReservedIp(address, options.Value.BlockedIpAddresses))
+                {
+                    throw new HttpRequestException($"Request blocked: '{host}' resolves to private IP {address}");
+                }
+            }
+        }
+        catch (SocketException ex)
+        {
+            throw new HttpRequestException($"DNS resolution failed for '{host}'", ex);
+        }
+
+        return await base.SendAsync(request, cancellationToken);
+    }
+}

backend/src/Squidex/Config/Domain/RuleServices.cs

@@ -23,6 +23,7 @@
 using Squidex.Domain.Apps.Entities.Schemas;
 using Squidex.Flows.Internal.Execution;
 using Squidex.Infrastructure.EventSourcing;
+using Squidex.Infrastructure.Http;
 using Squidex.Infrastructure.Reflection;
 
 namespace Squidex.Config.Domain;
@@ -34,6 +35,9 @@ public static void AddSquidexRules(this IServiceCollection services, IConfigurat
         services.Configure<RulesOptions>(config,
             "rules");
 
+        services.Configure<SsrfOptions>(config,
+            "ssrf");
+
         services.AddSingletonAs<EventEnricher>()
             .As<IEventEnricher>();
 

backend/src/Squidex/appsettings.json

@@ -83,6 +83,18 @@
         "Squidex.Extensions.dll"
     ],
 
+    // SSRF Options for outgoing http requests.
+    "ssrf": {
+        // Enable DNS rebinding protection (validates DNS twice, recommended for security).
+        "enableDnsRebindingProtection": true,
+
+        // Allowed URI schemes for outbound requests.
+        "allowedSchemes": [ "http", "https" ],
+
+        // Additional IP addresses to block (e.g., cloud metadata endpoints).
+        "blockedIpAddresses": [ "169.254.169.254" ]
+    },
+
     "caching": {
         // Set to true, to use strong etags.
         "strongETag": false,