fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#671)

v3 port. The Gotenberg PDF driver was missed when the SSRF guards were added
to the AI, exchange-rate and file-disk drivers: gotenberg_host was validated
only with 'url', and the driver POSTs the rendered HTML to it.

Reuses the existing infrastructure (consistency with the other drivers):
- Wires App\Rules\PublicHttpUrl into the gotenberg_host validation rule.
- Adds PrivateNetworkGuard::assertAllowed() in GotenbergPdfDriver before the
  outbound call (covers env/seed/stale config + DNS rebinding).

Adds a unit test asserting the gotenberg_host rule rejects private/loopback/
link-local addresses and allows a public one.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 11:02:19 +02:00
committed by GitHub
parent ca6dd57bf9
commit 99ea898e88
3 changed files with 39 additions and 0 deletions

View File

@@ -2,6 +2,8 @@
namespace App\Support\Pdf;
use App\Support\Net\BlockedUrlException;
use App\Support\Net\PrivateNetworkGuard;
use Gotenberg\Gotenberg;
use Gotenberg\Stream;
@@ -15,6 +17,16 @@ class GotenbergPdfDriver
}
$host = config('pdf.connections.gotenberg.host');
// SSRF guard: gotenberg_host is an admin-supplied URL the server POSTs
// the rendered HTML to. Block private/reserved/link-local targets even
// if set via env/seed/stale config or reachable through DNS rebinding.
try {
PrivateNetworkGuard::assertAllowed((string) $host);
} catch (BlockedUrlException $e) {
throw new \InvalidArgumentException('Invalid Gotenberg host: '.$e->getMessage());
}
$request = Gotenberg::chromium($host)
->pdf()
->margins(0, 0, 0, 0)