Headline
CVE-2022-25850: feat: ability to have a blacklist of target urls for proxy to make ca… · hoppscotch/proxyscotch@de67380
The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.
@@ -24,6 +24,7 @@ var (
sessionFingerprint string
allowedOrigins []string
bannedOutputs []string
bannedDests []string
)
type Request struct {
@@ -49,6 +50,16 @@ type Response struct {
Headers map[string]string `json:"headers"`
}
func isAllowedDest(dest string) bool {
for _, b := range bannedDests {
if b == dest {
return false
}
}
return true
}
func isAllowedOrigin(origin string) bool {
if allowedOrigins[0] == “*” {
return true
@@ -68,13 +79,19 @@ func Initialize(
proxyURL string,
initialAllowedOrigins string,
initialBannedOutputs string,
initialBannedDests string,
onStatusChange statusChangeFunction,
withSSL bool,
finished chan bool,
) {
if initialBannedOutputs != “” {
bannedOutputs = strings.Split(initialBannedOutputs, “,”)
}
if initialBannedDests != “” {
bannedDests = strings.Split(initialBannedDests, “,”)
} else {
bannedDests = []string{}
}
allowedOrigins = strings.Split(initialAllowedOrigins, “,”)
accessToken = initialAccessToken
sessionFingerprint = uuid.New().String()
@@ -209,6 +226,13 @@ func proxyHandler(response http.ResponseWriter, request *http.Request) {
proxyRequest.Method = requestData.Method
proxyRequest.URL, _ = url.Parse(requestData.Url)
// Block requests to illegal destinations
if !isAllowedDest(proxyRequest.URL.Hostname()) {
log.Print(“A request to a banned destination was made.”)
_, _ = fmt.Fprintln(response, “{\"success\": false, \"data\":{\"message\":\”(Proxy Error) Request cannot be to this destination.\"}}")
return
}
var params = proxyRequest.URL.Query()
for k, v := range requestData.Params {