Skip to content

fix: prevent SSRF in fetch upload by blocking private/internal IPs#287

Open
tranquac wants to merge 1 commit into88250:masterfrom
tranquac:fix/ssrf-fetch-upload
Open

fix: prevent SSRF in fetch upload by blocking private/internal IPs#287
tranquac wants to merge 1 commit into88250:masterfrom
tranquac:fix/ssrf-fetch-upload

Conversation

@tranquac
Copy link
Copy Markdown

@tranquac tranquac commented Mar 27, 2026

Summary

Prevent SSRF in the fetch upload endpoint by validating that the target URL doesn't resolve to private or internal IP addresses.

Problem

The fetchUpload method in FetchUploadProcessor.java fetches a user-supplied URL without SSRF protection:

final String originalURL = requestJSONObject.optString(Common.URL);
if (!Strings.isURL(originalURL) || !StringUtils.startsWithIgnoreCase(originalURL, "http")) {
    return;
}
// ...
final HttpRequest req = HttpRequest.get(originalURL);

The only validation is that the URL starts with http — no check for private/internal IPs. An attacker can:

  • Access cloud metadata: http://169.254.169.254/latest/meta-data/
  • Scan internal network services
  • Access internal admin interfaces

Fix

Added IP validation using InetAddress after URL parsing:

final InetAddress address = InetAddress.getByName(parsedUrl.getHost());
if (address.isLoopbackAddress() || address.isSiteLocalAddress() || address.isLinkLocalAddress()) {
    return;
}

Impact

  • Type: Server-Side Request Forgery (CWE-918)
  • Affected endpoint: fetchUpload
  • Risk: Cloud credential theft, internal network scanning
  • OWASP: A10:2021 — Server-Side Request Forgery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tranquac