Comments (7)
freddyb
commented on May 14, 2024
1
Note that the IP address blacklist must happen after resolving domain names. DNS checking can be tricky since you must assume that the attacker controls the DNS and can return a different IP when you check and when you use it again for doing the request (TOCTOU).
The blacklist should contain much more than just 127.* and localhost. Consider other local addresses (link-local, LAN, …) and IPv6.
Happy to look at your patch and attempt to bypass, if that helps.
from graby.
j0k3r
commented on May 14, 2024
I've read few articles about how to try to fix that, like this one: http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-3.html
- Error handling and message:
Try to display common error message to avoid data leak (I think it's already done) - Restrict connectivity to HTTP based ports:
Should be restrict url to target 80 & 443 and don't care about others ? - Blacklist IP addresses:
Like 127.* and localhost - Disable unwanted protocols
Keep http(s) is enough I think
from graby.
j0k3r
commented on May 14, 2024
About your first point, should gethostbynamel be enough?
I think I can grab some good stuff from https://github.com/fin1te/safecurl
Like these local addresses:
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/29
192.0.2.0/24
192.88.99.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
from graby.
freddyb
commented on May 14, 2024
Maybe you can just use safecurl completely instead of curl? It has a good security track record!
from graby.
j0k3r
commented on May 14, 2024
Yeah, that could be a good idea but I'm not using cURL directly I'm using Guzzle. I need to check how can I use them together.
from graby.
freddyb
commented on May 14, 2024
Security is never easy ;-)
Maybe you could look into how much work it is to create a guzzle+safecurl fork?
from graby.
j0k3r
commented on May 14, 2024
I don't think I'll need to created a fork, maybe a simple PR to SafeCurl should be enough since Guzzle v6 add ability to define a different handler: https://github.com/guzzle/guzzle/blob/master/src/Handler/CurlHandler.php
I just need to create a custom one for SafeCurl.
I'll see :)
from graby.
Related Issues (20)
- Installing Graby with Symfony 6.1 HOT 3
- Add more image lazy load attributes
- Skip site-config if selector does not exist HOT 1
- function convert2Utf8() return wrong HOT 1
- Prefered way for paywalled articles HOT 2
- graby for wallabag with custom site_config
- site_config's author definition is ignored if present in json HOT 2
- Date tests failing locally HOT 1
- Cannot install with composer HOT 8
- Support for websites with login page in two steps HOT 2
- Allow to configure httplug-ssrf-plugin
- Using Graby with Laravel HOT 1
- Error: Call to a member function saveXML() on null HOT 2
- Setting prefetched content breaks after utf8 conversion HOT 2
- Removing empty nodes early breaks medium.com images HOT 6
- Fingerprint match could double the output
- Question for wrap_in() HOT 3
- Optional Parameters can only come after required in PHP 8
- Document Symfony HttpClient HOT 5
- GrabyFormatter::addRowWithLevel(): Argument #2 ($th) must be of type string, int given,
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from graby.