Description

The submission pipeline allows user-controlled URLs to be fetched by the backend, enabling server-side requests to unintended network destinations.

Summary

The file_url parameter used during submission handling allows fetching arbitrary URLs without sufficient validation. This enables Server-Side Request Forgery (SSRF), allowing access to internal or non-public network resources and resulting in unintended data exfiltration.

Affected Area

• Submission file download logic (file_url)
• Backend job/task responsible for fetching remote submission files

Impact

A malicious user can supply a crafted file_url pointing to internal services or local network resources (e.g. loopback, link-local, or internal DNS names).
The fetched content is stored as a submission file and becomes accessible via the platform, effectively enabling internal data exfiltration.

This was reproduced locally by submitting a URL pointing to an internal HTTP service and retrieving the stored submission file.

Proof of Concept (High-level)

1. Submit a challenge entry with file_url pointing to an internal or non-public HTTP endpoint.
2. The backend fetches the resource without restricting the destination.
3. The response content is saved and served back as a submission file.

Expected Behavior

The backend should only allow downloads from publicly routable HTTP(S) endpoints and reject:

• Loopback addresses
• Private or link-local IP ranges
• Internal DNS-resolved addresses
• Other non-public network targets

Suggested Mitigation

• Resolve hostnames and validate all resulting IPs
• Block non-public, loopback, link-local, multicast, and reserved IP ranges
• Perform validation before making outbound requests

Additional Notes

This issue represents a trust-boundary violation between user input and backend network access. Proper validation at this boundary would prevent SSRF and related data exposure risks.