mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-16 22:05:20 +00:00
fix(security): block SSRF via the Gotenberg host setting (GHSA-mfxg) (#664)
gotenberg_host was validated only with Laravel's 'url' rule, which permits loopback/private/link-local hosts (e.g. http://127.0.0.1, http://10.0.0.1, the cloud metadata endpoint http://169.254.169.254). When a PDF renders, the server POSTs the document HTML to that host — an SSRF primitive. - Adds App\Rules\SafeRemoteUrl: requires http(s) and rejects any host that resolves to a loopback/private/link-local/CGNAT/reserved address (IPv4 and IPv6), including literal-IP hosts. - Wires it into PDFConfigurationRequest for gotenberg_host. - Adds a defensive re-check in GotenbergPDFDriver before the outbound call to cover hosts set via env/seed/stale config or DNS rebinding (TOCTOU). Adds unit tests for the rule + validator integration.
This commit is contained in:
committed by
GitHub
parent
e92b08ef6a
commit
d615cfb4ff
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Services\PDFDrivers;
|
||||
|
||||
use App\Rules\SafeRemoteUrl;
|
||||
use Gotenberg\Gotenberg;
|
||||
use Gotenberg\Stream;
|
||||
use Illuminate\Http\Response;
|
||||
@@ -43,6 +44,14 @@ class GotenbergPDFDriver
|
||||
}
|
||||
|
||||
$host = config('pdf.connections.gotenberg.host');
|
||||
|
||||
// Defense in depth against SSRF: a host that bypassed request-time
|
||||
// validation (env/seed/stale config, or DNS rebinding) must still not
|
||||
// be able to target internal/private addresses.
|
||||
if (! SafeRemoteUrl::isSafe((string) $host)) {
|
||||
throw new \RuntimeException('Refusing to render PDF: unsafe Gotenberg host.');
|
||||
}
|
||||
|
||||
$request = Gotenberg::chromium($host)
|
||||
->pdf()
|
||||
->margins(0, 0, 0, 0) // Margins can be set using CSS
|
||||
|
||||
Reference in New Issue
Block a user