Decorate hte attachment download and generic web provider with the NoPrivateNetworkHttpClient

This is for security hardening to prevent SSRF attacks

Author: jbtronics

src/Services/Attachments/AttachmentSubmitHandler.php

@@ -44,6 +44,7 @@
 use App\Settings\SystemSettings\AttachmentsSettings;
 use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile;
 use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use const DIRECTORY_SEPARATOR;
 use InvalidArgumentException;
 use RuntimeException;
@@ -95,6 +96,8 @@ public function __construct(
             UserAttachment::class => 'user',
             LabelAttachment::class => 'label_profile',
         ];
+
+        $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
     }
 
     /**
@@ -373,6 +376,7 @@ protected function downloadURL(Attachment $attachment, bool $secureAttachment):
                 ],
 
             ];
+
             $response = $this->httpClient->request('GET', $url, $opts);
             //Digikey wants TLSv1.3, so try again with that if we get a 403
             if ($response->getStatusCode() === 403) {
@@ -434,8 +438,8 @@ protected function downloadURL(Attachment $attachment, bool $secureAttachment):
             $new_path = $this->pathResolver->realPathToPlaceholder($new_path);
             //Save the path to the attachment
             $attachment->setInternalPath($new_path);
-        } catch (TransportExceptionInterface) {
-            throw new AttachmentDownloadException('Transport error!');
+        } catch (TransportExceptionInterface $exception) {
+            throw new AttachmentDownloadException('Transport error: '.$exception->getMessage());
         }
 
         return $attachment;

src/Services/InfoProviderSystem/Providers/GenericWebProvider.php

@@ -42,6 +42,7 @@
 use Brick\Schema\SchemaReader;
 use Brick\Schema\SchemaTypeList;
 use Symfony\Component\DomCrawler\Crawler;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 class GenericWebProvider implements InfoProviderInterface
@@ -55,7 +56,8 @@ public function __construct(HttpClientInterface $httpClient, private readonly Ge
         private readonly ProviderRegistry $providerRegistry, private readonly PartInfoRetriever $infoRetriever,
     )
     {
-        $this->httpClient = (new RandomizeUseragentHttpClient($httpClient))->withOptions(
+        //Use NoPrivateNetworkHttpClient to prevent SSRF vulnerabilities, and RandomizeUseragentHttpClient to make it harder for servers to block us
+        $this->httpClient = (new RandomizeUseragentHttpClient(new NoPrivateNetworkHttpClient($httpClient)))->withOptions(
             [
                 'timeout' => 15,
             ]