fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#664)

gotenberg_host was validated only with Laravel's 'url' rule, which permits
loopback/private/link-local hosts (e.g. http://127.0.0.1, http://10.0.0.1,
the cloud metadata endpoint http://169.254.169.254). When a PDF renders, the
server POSTs the document HTML to that host — an SSRF primitive.

- Adds App\Rules\SafeRemoteUrl: requires http(s) and rejects any host that
  resolves to a loopback/private/link-local/CGNAT/reserved address (IPv4 and
  IPv6), including literal-IP hosts.
- Wires it into PDFConfigurationRequest for gotenberg_host.
- Adds a defensive re-check in GotenbergPDFDriver before the outbound call to
  cover hosts set via env/seed/stale config or DNS rebinding (TOCTOU).

Adds unit tests for the rule + validator integration.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 09:18:57 +02:00
committed by GitHub
parent e92b08ef6a
commit d615cfb4ff
4 changed files with 178 additions and 0 deletions

View File

@@ -2,6 +2,7 @@
namespace App\Http\Requests;
use App\Rules\SafeRemoteUrl;
use Illuminate\Foundation\Http\FormRequest;
class PDFConfigurationRequest extends FormRequest
@@ -37,6 +38,7 @@ class PDFConfigurationRequest extends FormRequest
'gotenberg_host' => [
'required',
'url',
new SafeRemoteUrl,
],
'gotenberg_papersize' => [
'required',