Merge pull request #1467 from KodeStar/2.x

Fixes to reduce the SSRF attack vector plus display image names

Author: KodeStar

.env.example

@@ -65,3 +65,5 @@ AUTH_ROLES_HEADER="remote-groups"
 AUTH_ROLES_HTTP_HEADER="HTTP_REMOTE_GROUPS"
 AUTH_ROLES_ADMIN="admin"
 AUTH_ROLES_DELIMITER=","
+
+ALLOW_INTERNAL_REQUESTS=false

app/Http/Controllers/ItemController.php

@@ -21,6 +21,7 @@
 use Illuminate\Validation\ValidationException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\StreamInterface;
+use Illuminate\Http\Response;
 use enshrined\svgSanitize\Sanitizer;
 
 class ItemController extends Controller
@@ -490,25 +491,48 @@ public function testConfig(Request $request)
      */
     public function execute($url, array $attrs = [], $overridevars = false): ?ResponseInterface
     {
-        $vars = ($overridevars !== false) ?
-            $overridevars : [
-                'http_errors' => false,
-                'timeout' => 15,
-                'connect_timeout' => 15,
-                'verify' => false,
-            ];
+        // Default Guzzle client configuration
+        $clientOptions = [
+            'http_errors' => false,
+            'timeout' => 15,
+            'connect_timeout' => 15,
+            'verify' => false, // In production, set this to `true` and manage certs.
+        ];
+
+        // If the user provided overrides, use them.
+        if ($overridevars !== false) {
+            $clientOptions = $overridevars;
+        }
+
+        // Resolve the hostname to an IP address
+        $host = parse_url($url, PHP_URL_HOST);
+        $ip = gethostbyname($host);
 
-        $client = new Client($vars);
+        // Check if the IP is private or reserved
+        $allowInternalIps = env('ALLOW_INTERNAL_REQUESTS', false);
+        if (!$allowInternalIps && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
+            Log::warning('Blocked access to private or reserved IPs.', ['ip' => $ip, 'host' => $host]);
+            abort(Response::HTTP_FORBIDDEN, 'Access to private or reserved IPs is not allowed.');
+        }
+
+        // Force Guzzle to use the resolved IP address
+        $clientOptions['curl'][CURLOPT_RESOLVE] = ["{$host}:80:{$ip}", "{$host}:443:{$ip}"];
 
+        $client = new Client($clientOptions);
         $method = 'GET';
 
         try {
             return $client->request($method, $url, $attrs);
         } catch (ConnectException $e) {
-            Log::error('Connection refused');
-            Log::debug($e->getMessage());
+            Log::warning('SSRF Attempt Blocked: Connection to a private IP was prevented.', [
+                'url' => $url,
+                'error' => $e->getMessage()
+            ]);
+            return null;
         } catch (ServerException $e) {
             Log::debug($e->getMessage());
+        } catch (\Exception $e) {
+            Log::error('General error: ' . $e->getMessage());
         }
 
         return null;
@@ -520,10 +544,22 @@ public function execute($url, array $attrs = [], $overridevars = false): ?Respon
      */
     public function websitelookup($url): StreamInterface
     {
-        $url = base64_decode($url);
-        $data = $this->execute($url);
+        $decodedUrl = base64_decode($url);
+
+        // Validate the URL format.
+        if (filter_var($decodedUrl, FILTER_VALIDATE_URL) === false) {
+            abort(Response::HTTP_BAD_REQUEST, 'Invalid URL format provided.');
+        }
+
+        $response = $this->execute($decodedUrl);
 
-        return $data->getBody();
+        // If execute() returns null, it means the connection failed.
+        // This can happen for many reasons, including our SSRF protection kicking in.
+        if ($response === null) {
+            abort(Response::HTTP_FORBIDDEN, 'Access to the requested resource is not allowed or the resource is unavailable.');
+        }
+    
+        return $response->getBody();
     }
 
     /**

config/app.php

@@ -9,6 +9,7 @@
 
     'appsource' => env('APP_SOURCE', 'https://appslist.heimdall.site/'),
 
+    'allow_internal_requests' => env('ALLOW_INTERNAL_REQUESTS', false),
 
     'aliases' => Facade::defaultAliases()->merge([
         'EnhancedApps' => App\EnhancedApps::class,