SECURITY: SSRF vulnerability in TopicEmbed

Block redirects when making the final request in TopicEmbed to prevent Server Side Request Forgery (SSRF)
2024-11-25 02:11:08 -06:00 · 2023-10-27 14:02:20 +11:00 · 2023-10-27 14:02:20 +11:00 · 5f20748e40
commit 5f20748e40
parent 7d484864fe
2 changed files with 15 additions and 2 deletions
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@ -126,8 +126,8 @@ class TopicEmbed < ActiveRecord::Base
    return if uri.blank?

    begin
-      html = uri.read
-    rescue OpenURI::HTTPError, Net::OpenTimeout
+      html = FinalDestination::HTTP.get(uri)
+    rescue OpenURI::HTTPError, Net::OpenTimeout, FinalDestination::SSRFDetector::DisallowedIpError
      return
    end

--- a/spec/models/topic_embed_spec.rb
+++ b/spec/models/topic_embed_spec.rb
@ -299,6 +299,19 @@ RSpec.describe TopicEmbed do
        response = TopicEmbed.find_remote(url)
        expect(response.title).to eq("Through the Looking Glass")
      end
+
+      it "doesn't follow redirect when making request" do
+        FinalDestination.any_instance.stubs(:resolve).returns(URI("https://redirect.com"))
+        stub_request(:get, "https://redirect.com/").to_return(
+          status: 301,
+          body: "<title>Moved permanently</title>",
+          headers: {
+            "Location" => "https://www.example.org/",
+          },
+        )
+        response = TopicEmbed.find_remote(url)
+        expect(response.title).to eq("Moved permanently")
+      end
    end

    context 'with post with allowed classes "foo" and "emoji"' do