Skip to content

fix: remove open SSRF proxy and add auth to govtool endpoints#344

Open
zeroknowledge0x wants to merge 1 commit into
IntersectMBO:mainfrom
zeroknowledge0x:fix/issue-4168-remove-ssrf-proxy
Open

fix: remove open SSRF proxy and add auth to govtool endpoints#344
zeroknowledge0x wants to merge 1 commit into
IntersectMBO:mainfrom
zeroknowledge0x:fix/issue-4168-remove-ssrf-proxy

Conversation

@zeroknowledge0x

@zeroknowledge0x zeroknowledge0x commented May 30, 2026

Copy link
Copy Markdown

Fixes IntersectMBO/govtool#4168

Problem

The POST /api/proxy endpoint was an unauthenticated open SSRF proxy. Any anonymous caller could make the server fetch arbitrary URLs, including:

  • Cloud metadata (169.254.169.254) → IAM credential theft
  • Internal services (database:5432, localhost:1337) → internal network traversal
  • Arbitrary POST requests → request forgery against internal APIs

The endpoint was dead code — the frontend only uses /api/proxy/govtool/... endpoints.

Changes

  1. Remove forward() handler — the generic POST /proxy endpoint that was the SSRF vector
  2. Remove POST /proxy route — from routes configuration
  3. Add authentication — set auth: true on govtool proxy endpoints (previously auth: false)
  4. Add URL validation — reject endpoint paths containing .., leading /, or :// to prevent traversal
  5. Add config check — return 500 if GOVTOOL_API_BASE_URL is not configured

Testing

  • Verify POST /api/proxy returns 404 (route removed)
  • Verify GET /api/proxy/govtool/test requires authentication
  • Verify POST /api/proxy/govtool/test requires authentication
  • Verify path traversal attempts (e.g., ../../etc/passwd) are rejected
  • Verify normal govtool proxy requests still work with valid auth

fix: remove open SSRF proxy and add auth to govtool endpoints
69bbe03 
Remove the generic POST /proxy endpoint (forward handler) which was an
unauthenticated open SSRF proxy allowing any caller to make the server
fetch arbitrary URLs, including cloud metadata and internal services.

Changes:
- Remove forward() handler from proxy controller
- Remove POST /proxy route from routes config
- Add authentication requirement (auth: true) to govtool proxy endpoints
- Add URL validation to prevent path traversal attacks
- Add GOVTOOL_API_BASE_URL configuration check

The frontend only uses /api/proxy/govtool/... endpoints, confirming
the generic /api/proxy was dead code that shipped to production.

Fixes #4168
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🐛 [Bounty] - Unauthenticated Open SSRF Proxy in POST /api/proxy allows any attacker to reach internal services and exfiltrate cloud credentials

1 participant

@zeroknowledge0x