references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-13 19:20:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Work around SSRF issue

Browse Source 
Ingredients needed for the issue to occur are:

* an allowed IPv4 range
* a checked IPv6 address
* the checked address must be wrapped in HTTPX::Resolver::Entry

This leads to a failure in checking address inclusion by IPAddr.
This commit is contained in:
Jan Sandbrink
2026-06-05 09:45:04 +02:00
parent 396de9362f
commit 5689a105a0
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/open_project/httpx_ssrf_filter.rb
+7 -1
View File
@@ -46,7 +46,13 @@ module OpenProject
end
def addresses=(addrs)
addrs.reject!(&SsrfProtection.method(:unsafe_ip_address?)) # rubocop:disable Performance/MethodObjectAsBlock
addrs.reject! do |addr|
# working around an error in IPAddr that fails to check address inclusion if the passed address is not an
# IPAddr, but a SimpleDelegator to an IPAddr (like HTTPX::Resolver::Entry).
addr = addr.address if addr.respond_to?(:address)
SsrfProtection.send(:unsafe_ip_address?, addr)
end
raise ServerSideRequestForgeryError, "#{@origin.host} has no public IP addresses" if addrs.empty?