Skip to content

fix Server-side request forgery on WebProxyServer() #127390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix Server-side request forgery on WebProxyServer() #127390

wants to merge 1 commit into from

Conversation

@odaysec
Copy link

@odaysec odaysec commented Apr 25, 2025

elasticsearch/modules/repository-gcs/src/internalClusterTest/java/org/elasticsearch/repositories/gcs/WebProxyServer.java

Line 54 in c72d00f

upstreamRequest.setURI(URI.create(request.getRequestLine().getUri()));

fix the SSRF vulnerability will validate the URI extracted from the incoming request. Specifically:

  1. Introduce a whitelist of allowed hosts or URI prefixes that the proxy server can forward requests to.
  2. Before creating the URI object, check if the incoming URI matches the allowed hosts or prefixes. If it does not, reject the request by setting an appropriate error response.
  3. This ensures that the proxy server only forwards requests to trusted destinations, mitigating the SSRF risk.

Directly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.

POC

The following shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.

import java.net.http.HttpClient;

public class SSRF extends HttpServlet {
	private static final String VALID_URI = "http://lgtm.com";
	private HttpClient client = HttpClient.newHttpClient();

	protected void doGet(HttpServletRequest request, HttpServletResponse response)
		throws ServletException, IOException {
		URI uri = new URI(request.getParameter("uri"));
		// BAD: a request parameter is incorporated without validation into a Http request
		HttpRequest r = HttpRequest.newBuilder(uri).build();
		client.send(r, null);

		// GOOD: the request parameter is validated against a known fixed string
		if (VALID_URI.equals(request.getParameter("uri"))) {
			HttpRequest r2 = HttpRequest.newBuilder(uri).build();
			client.send(r2, null);
		}
	}
}

References

OWASP SSRF
CWE-918

@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label v9.1.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Apr 25, 2025
@DaveCTurner
Copy link
Contributor

DaveCTurner commented Apr 25, 2025

This is a private test-only class that only listens on localhost on a CI test runner. If you can talk to it, you're already on the other side of the airtight hatchway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

external-contributor Pull request authored by a developer outside the Elasticsearch team needs:triage Requires assignment of a team area label v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@odaysec @DaveCTurner @elasticsearchmachine