Headline
CVE-2022-1722: Adds isLinkLocalAddress() to address checks · jgraph/drawio@cf5c78a
SSRF in editor’s proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses
Permalink
Browse files
Adds isLinkLocalAddress() to address checks
- Loading branch information
1 parent 4deecee commit cf5c78aa0f3127fb10053db55b39f3017a0654ae
Showing with 1 addition and 0 deletions.
- +1 −0 src/main/java/com/mxgraph/online/ProxyServlet.java
@@ -254,6 +254,7 @@ public boolean checkUrlParameter(String url)
return (protocol.equals(“http”) || protocol.equals(“https”))
&& !address.isAnyLocalAddress()
&& !address.isLoopbackAddress()
&& !address.isLinkLocalAddress()
&& !host.endsWith(“.internal”) // Redundant
&& !host.endsWith(“.local”) // Redundant
&& !host.contains(“localhost”) // Redundant
0 comments on commit cf5c78a
Please sign in to comment.