fix the ssrf #287
fix the ssrf #287
Conversation
| def download_file(self, url): | ||
| injectd_url = self.extract_url(urllib2.unquote(url)) | ||
| try: | ||
| r = safe_request_url(injectd_url) |
| try: | ||
| r = safe_request_url(injectd_url) | ||
| except Exception as e: | ||
| logger.info(e) |
| except Exception as e: | ||
| logger.info(e) | ||
| file_name = None | ||
| return file_name |
| @@ -85,6 +134,7 @@ def download_file(self, url): | |||
|
|
|||
| def handle(self, attack_event): | |||
| if attack_event.http_request.command == 'GET': | |||
| #pass | |||
| @@ -54,9 +97,15 @@ def store_file(self, injected_file): | |||
| with open(os.path.join(self.files_dir, file_name), 'w+') as local_file: | |||
| local_file.write(injected_file) | |||
| return file_name | |||
|
|
|||
| ip_address = socket.getaddrinfo(hostname, 'http')[0][4][0] | ||
| if is_inner_ipaddress(ip_address): | ||
| logger.info("inner ip address attack") | ||
| raise BaseException("inner ip address attack") |
There was a problem hiding this comment.
Because the others may attack the inner network, we must filter the url before we use our web server to request url.
There was a problem hiding this comment.
I actually like this. This should only happening when testing. Maybe instead of raising an exception give it a classification?
There was a problem hiding this comment.
Yeah, your are right. I will change it, but nowadays I am too busy, maybe I will send a pull request slowly.
|
|
||
| import glastopf.sandbox.sandbox as sandbox | ||
| from glastopf.modules.handlers import base_emulator | ||
|
|
||
| logger = logging.getLogger(__name__) | ||
|
|
||
| def check_ssrf(url): |
There was a problem hiding this comment.
what are you actually checking here?
There was a problem hiding this comment.
Can you find a better name for this function?
There was a problem hiding this comment.
maybe you can give me a better name.
| except BaseException as e: | ||
| return False, str(e) | ||
| except: | ||
| return False, "unknow error" |
There was a problem hiding this comment.
please improve the exception handling here
| return False, "unknow error" | ||
|
|
||
| def safe_request_url(url, **kwargs): | ||
| success, errstr = check_ssrf(url) |
| def safe_request_url(url, **kwargs): | ||
| success, errstr = check_ssrf(url) | ||
| if not success: | ||
| raise requests.exceptions.InvalidURL("SSRF Attack: %s" % (errstr,)) |
There was a problem hiding this comment.
was it actually a SSRF attack or just someone using the server from someone else to inject some code?
|
Closing due to inactivity |
Someone may attack the local network, I fix it. My English is not fluent, I hope you can understand my means.