fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#664)

gotenberg_host was validated only with Laravel's 'url' rule, which permits
loopback/private/link-local hosts (e.g. http://127.0.0.1, http://10.0.0.1,
the cloud metadata endpoint http://169.254.169.254). When a PDF renders, the
server POSTs the document HTML to that host — an SSRF primitive.

- Adds App\Rules\SafeRemoteUrl: requires http(s) and rejects any host that
  resolves to a loopback/private/link-local/CGNAT/reserved address (IPv4 and
  IPv6), including literal-IP hosts.
- Wires it into PDFConfigurationRequest for gotenberg_host.
- Adds a defensive re-check in GotenbergPDFDriver before the outbound call to
  cover hosts set via env/seed/stale config or DNS rebinding (TOCTOU).

Adds unit tests for the rule + validator integration.
This commit is contained in:
Darko Gjorgjijoski
2026-06-12 09:18:57 +02:00
committed by GitHub
parent e92b08ef6a
commit d615cfb4ff
4 changed files with 178 additions and 0 deletions

View File

@@ -2,6 +2,7 @@
namespace App\Services\PDFDrivers;
use App\Rules\SafeRemoteUrl;
use Gotenberg\Gotenberg;
use Gotenberg\Stream;
use Illuminate\Http\Response;
@@ -43,6 +44,14 @@ class GotenbergPDFDriver
}
$host = config('pdf.connections.gotenberg.host');
// Defense in depth against SSRF: a host that bypassed request-time
// validation (env/seed/stale config, or DNS rebinding) must still not
// be able to target internal/private addresses.
if (! SafeRemoteUrl::isSafe((string) $host)) {
throw new \RuntimeException('Refusing to render PDF: unsafe Gotenberg host.');
}
$request = Gotenberg::chromium($host)
->pdf()
->margins(0, 0, 0, 0) // Margins can be set using CSS