Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qZ2g4LXZjaHctcTNnN84AAxOa

safeurl-python contains Server-Side Request Forgery

Description

In SafeURL it is possible to specify a list of domains that should be matched before a request is sent out. The regex used to compare domains did not work as intended.

Impact

The regex used was:

re.match("(?i)^%s" % domain, value)

This has two problems, first that only the beginning and not the end of the string is anchored. Second, that a dot in the domain matches any character as part of regex syntax.

Therefore, an allowlist of ["victim.com"] could allow the domain "victimacomattacker.com" to be requested.

This has lower impact since the usual attacker aim in an SSRF is to request internal resources such as private IP addresses rather than an attacker's own domain. But, in a case where SafeURL had specifically been used to try to limit requests to a particular allowlist, say for example a PDF renderer, the finding would be more severe.

Patches

Fixed in https://github.com/IncludeSecurity/safeurl-python/pull/5

References

Server-side request forgery (SSRF)

Permalink: https://github.com/advisories/GHSA-jgh8-vchw-q3g7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZ2g4LXZjaHctcTNnN84AAxOa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


Identifiers: GHSA-jgh8-vchw-q3g7, CVE-2023-24622
References: Repository: https://github.com/IncludeSecurity/safeurl-python

Affected Packages

pypi:safeurl-python
Dependent packages: 0
Dependent repositories: 1
Downloads: 514 last month
Affected Version Ranges: < 1.2
Fixed in: 1.2
All affected versions:
All unaffected versions: