mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-17 22:35:19 +00:00
fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#671)
v3 port. The Gotenberg PDF driver was missed when the SSRF guards were added to the AI, exchange-rate and file-disk drivers: gotenberg_host was validated only with 'url', and the driver POSTs the rendered HTML to it. Reuses the existing infrastructure (consistency with the other drivers): - Wires App\Rules\PublicHttpUrl into the gotenberg_host validation rule. - Adds PrivateNetworkGuard::assertAllowed() in GotenbergPdfDriver before the outbound call (covers env/seed/stale config + DNS rebinding). Adds a unit test asserting the gotenberg_host rule rejects private/loopback/ link-local addresses and allows a public one.
This commit is contained in:
committed by
GitHub
parent
ca6dd57bf9
commit
99ea898e88
@@ -2,6 +2,8 @@
|
||||
|
||||
namespace App\Support\Pdf;
|
||||
|
||||
use App\Support\Net\BlockedUrlException;
|
||||
use App\Support\Net\PrivateNetworkGuard;
|
||||
use Gotenberg\Gotenberg;
|
||||
use Gotenberg\Stream;
|
||||
|
||||
@@ -15,6 +17,16 @@ class GotenbergPdfDriver
|
||||
}
|
||||
|
||||
$host = config('pdf.connections.gotenberg.host');
|
||||
|
||||
// SSRF guard: gotenberg_host is an admin-supplied URL the server POSTs
|
||||
// the rendered HTML to. Block private/reserved/link-local targets even
|
||||
// if set via env/seed/stale config or reachable through DNS rebinding.
|
||||
try {
|
||||
PrivateNetworkGuard::assertAllowed((string) $host);
|
||||
} catch (BlockedUrlException $e) {
|
||||
throw new \InvalidArgumentException('Invalid Gotenberg host: '.$e->getMessage());
|
||||
}
|
||||
|
||||
$request = Gotenberg::chromium($host)
|
||||
->pdf()
|
||||
->margins(0, 0, 0, 0)
|
||||
|
||||
Reference in New Issue
Block a user