Headline
CVE-2023-5572: Vrite v0.3 (#45) · vriteio/vrite@1877683
Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.
@@ -1,11 +1,10 @@ import { appRouter, errors, publicPlugin, trpcPlugin } from "@vrite/backend"; import { errors, publicPlugin, trpcPlugin, processAuth } from "@vrite/backend"; import staticPlugin from "@fastify/static"; import websocketPlugin from "@fastify/websocket"; import axios from "axios"; import viewPlugin from "@fastify/view"; import handlebars from "handlebars"; import { FastifyReply } from "fastify"; import { processAuth } from "@vrite/backend/src/lib/auth"; import { nanoid } from "nanoid"; import multipartPlugin from "@fastify/multipart"; import mime from "mime-types"; Expand All @@ -15,7 +14,7 @@ import path from "path";
const appService = publicPlugin(async (fastify) => { const renderPage = async (reply: FastifyReply): Promise<void> => { return reply.view("index.html", { return reply.header("X-Frame-Options", “SAMEORIGIN”).view("index.html", { PUBLIC_APP_URL: fastify.config.PUBLIC_APP_URL, PUBLIC_API_URL: fastify.config.PUBLIC_API_URL, PUBLIC_COLLAB_URL: fastify.config.PUBLIC_COLLAB_URL, Expand Down Expand Up @@ -51,57 +50,6 @@ const appService = publicPlugin(async (fastify) => { fastify.setNotFoundHandler(async (_request, reply) => { return renderPage(reply); }); fastify.get<{ Querystring: { url: string } }>("/proxy*", async (request, reply) => { const filterOutRegex = /(localhost|\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)(?::\d{0,4})?\b)/;
if (request.headers.origin) { reply.header("Access-Control-Allow-Origin", fastify.config.PUBLIC_APP_URL); reply.header("Access-Control-Allow-Methods", “GET”); reply.header( "Access-Control-Allow-Headers", request.headers[“access-control-request-headers”] ); } else if ( fastify.config.NODE_ENV !== “development” && !fastify.config.PUBLIC_APP_URL.includes(“localhost”) ) { // Prevent proxy abuse in production return reply.status(400).send(“Invalid Origin”); }
if ( filterOutRegex.test(request.query.url) && !request.query.url.includes(fastify.config.PUBLIC_ASSETS_URL) ) { return reply.status(400).send(“Invalid URL”); }
if (request.method === “OPTIONS”) { // CORS Preflight reply.send(); } else { const targetURL = request.query.url;
try { const response = await axios.get(targetURL, { responseType: “arraybuffer” });
if (!`${response.headers[“content-type”]}`.includes(“image”)) { return reply.status(400).send(“Invalid Content-Type”); }
reply.header("content-type", response.headers[“content-type”]); reply.send(Buffer.from(response.data, “binary”)); } catch (error) { // eslint-disable-next-line no-console console.error(error);
return reply.status(500).send(“Could not fetch”); } } }); fastify.post<{ Body: Buffer; }>("/upload", async (req, res) => { Expand Down
Related news
Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.