[JAMES-3691] JMAP Push: Prevent server-side request forgery - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.7.0
Component/s: None
Labels:
None

Description

https://jmap.io/spec-core.html#connection-to-unknown-push-server

```
The server MUST ensure the URL is externally resolvable to avoid server-side request forgery, where the server makes a request to a resource on its internal network.
```

We do not do that.

We should resolve the hostname of the URL and reject it if it belong to one of these network:

```
Private network class A: 10.0.0.0 — 10.255.255.255
Private network class B: 172.16.0.0 — 172.31.255.255
Private network class C: 192.168.0.0 — 192.168.255.255
127.0. 0.0 to 127.255. 255.255
```

This should be done at Push subscription creation, as well as when submitting push notifications.

*DOD*: integretion tests rejecting server-side request forgery attemps against webadmin.

Remark: not a CVE vulnerability as it is not part of any released artifact.

Attachments

Issue Links

links to

GitHub Pull Request #837

Activity

People

Assignee:: Unassigned

Reporter:: Benoit Tellier

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/Jan/22 05:13

Updated:: 14/Jan/22 08:29

Resolved:: 14/Jan/22 08:29

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m