fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#671)

v3 port. The Gotenberg PDF driver was missed when the SSRF guards were added
to the AI, exchange-rate and file-disk drivers: gotenberg_host was validated
only with 'url', and the driver POSTs the rendered HTML to it.

Reuses the existing infrastructure (consistency with the other drivers):
- Wires App\Rules\PublicHttpUrl into the gotenberg_host validation rule.
- Adds PrivateNetworkGuard::assertAllowed() in GotenbergPdfDriver before the
  outbound call (covers env/seed/stale config + DNS rebinding).

Adds a unit test asserting the gotenberg_host rule rejects private/loopback/
link-local addresses and allows a public one.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 11:02:19 +02:00
committed by GitHub
parent ca6dd57bf9
commit 99ea898e88
3 changed files with 39 additions and 0 deletions

View File

@@ -2,6 +2,7 @@
namespace App\Http\Requests;
use App\Rules\PublicHttpUrl;
use Illuminate\Foundation\Http\FormRequest;
class PDFConfigurationRequest extends FormRequest
@@ -37,6 +38,7 @@ class PDFConfigurationRequest extends FormRequest
'gotenberg_host' => [
'required',
'url',
new PublicHttpUrl,
],
'gotenberg_papersize' => [
'required',