CVE-2023-25230: The ssrf vulnerability exists in the system. · Issue #402 · blackholll/loonflow

ISSUE TEMPLATE

使用的版本:
r2.0.14
问题详细描述:
The ssrf vulnerability exists in the system.

After the admin logged in, Create a new workflow, set the participant type to hook, and set the participant’s hook_url parameter to the Intranet address. Example: {" hook_url “:” http://127.0.0.1:8000/ ", “hook_token” : "111", “wait” : false, “extra_info” : "111"}

Select the workflow we created in the new build order

Viewing the operation history about the work order, the system is Expecting "line 1 column 1 (char 0)".

When the accessed port is closed, Connection refused is refused, for example, HTTPConnectionPool(host=’127.0.0.1’, port=8808): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f1ad48cc048>: Failed to establish a new connection: [Errno 111] Connection refused’,))"
In this way, we can judge whether the port on the Intranet is open according to different errors.
For example, if I write “hook_url” to http://127.0.0.1:6379, there will be an error: "('Connection aborted.’, RemoteDisconnected('Remote end closed connection without response’,))", so that you can determine that redis services exist on the Intranet.
In addition, packets can be sent to Intranet services through this function, causing dos attacks.

The cause of the leak:
There are no restrictions on the request address