mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 14:25:21 +00:00
fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#671)
v3 port. The Gotenberg PDF driver was missed when the SSRF guards were added to the AI, exchange-rate and file-disk drivers: gotenberg_host was validated only with 'url', and the driver POSTs the rendered HTML to it. Reuses the existing infrastructure (consistency with the other drivers): - Wires App\Rules\PublicHttpUrl into the gotenberg_host validation rule. - Adds PrivateNetworkGuard::assertAllowed() in GotenbergPdfDriver before the outbound call (covers env/seed/stale config + DNS rebinding). Adds a unit test asserting the gotenberg_host rule rejects private/loopback/ link-local addresses and allows a public one.
This commit is contained in:
committed by
GitHub
parent
ca6dd57bf9
commit
99ea898e88
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Http\Requests;
|
||||
|
||||
use App\Rules\PublicHttpUrl;
|
||||
use Illuminate\Foundation\Http\FormRequest;
|
||||
|
||||
class PDFConfigurationRequest extends FormRequest
|
||||
@@ -37,6 +38,7 @@ class PDFConfigurationRequest extends FormRequest
|
||||
'gotenberg_host' => [
|
||||
'required',
|
||||
'url',
|
||||
new PublicHttpUrl,
|
||||
],
|
||||
'gotenberg_papersize' => [
|
||||
'required',
|
||||
|
||||
Reference in New Issue
Block a user