Headline
CVE-2022-1713: 18.0.3 release · jgraph/drawio@283d41e
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
@@ -15,6 +15,7 @@ import java.net.URL; import java.net.URLConnection; import java.net.UnknownHostException; import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger;
@@ -245,42 +246,51 @@ public boolean checkUrlParameter(String url) { URL parsedUrl = new URL(url); String protocol = parsedUrl.getProtocol(); String host = parsedUrl.getHost().toLowerCase(); String host = parsedUrl.getHost(); InetAddress address = InetAddress.getByName(host); String hostAddress = address.getHostAddress(); host = host.toLowerCase();
return (protocol.equals(“http”) || protocol.equals(“https”)) && !host.endsWith(“.internal”) && !host.endsWith(“.local”) && !host.contains(“localhost”) && !host.startsWith(“0.”) // 0.0.0.0/8 && !host.startsWith(“10.”) // 10.0.0.0/8 && !host.startsWith(“127.”) // 127.0.0.0/8 && !host.startsWith(“169.254.”) // 169.254.0.0/16 && !host.startsWith(“172.16.”) // 172.16.0.0/12 && !host.startsWith(“172.17.”) // 172.16.0.0/12 && !host.startsWith(“172.18.”) // 172.16.0.0/12 && !host.startsWith(“172.19.”) // 172.16.0.0/12 && !host.startsWith(“172.20.”) // 172.16.0.0/12 && !host.startsWith(“172.21.”) // 172.16.0.0/12 && !host.startsWith(“172.22.”) // 172.16.0.0/12 && !host.startsWith(“172.23.”) // 172.16.0.0/12 && !host.startsWith(“172.24.”) // 172.16.0.0/12 && !host.startsWith(“172.25.”) // 172.16.0.0/12 && !host.startsWith(“172.26.”) // 172.16.0.0/12 && !host.startsWith(“172.27.”) // 172.16.0.0/12 && !host.startsWith(“172.28.”) // 172.16.0.0/12 && !host.startsWith(“172.29.”) // 172.16.0.0/12 && !host.startsWith(“172.30.”) // 172.16.0.0/12 && !host.startsWith(“172.31.”) // 172.16.0.0/12 && !host.startsWith(“192.0.0.”) // 192.0.0.0/24 && !host.startsWith(“192.168.”) // 192.168.0.0/16 && !host.startsWith(“198.18.”) // 198.18.0.0/15 && !host.startsWith(“198.19.”) // 198.18.0.0/15 && !address.isAnyLocalAddress() && !address.isLoopbackAddress() && !host.endsWith(“.internal”) // Redundant && !host.endsWith(“.local”) // Redundant && !host.contains(“localhost”) // Redundant && !hostAddress.startsWith(“0.”) // 0.0.0.0/8 && !hostAddress.startsWith(“10.”) // 10.0.0.0/8 && !hostAddress.startsWith(“127.”) // 127.0.0.0/8 && !hostAddress.startsWith(“169.254.”) // 169.254.0.0/16 && !hostAddress.startsWith(“172.16.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.17.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.18.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.19.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.20.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.21.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.22.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.23.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.24.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.25.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.26.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.27.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.28.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.29.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.30.”) // 172.16.0.0/12 && !hostAddress.startsWith(“172.31.”) // 172.16.0.0/12 && !hostAddress.startsWith(“192.0.0.”) // 192.0.0.0/24 && !hostAddress.startsWith(“192.168.”) // 192.168.0.0/16 && !hostAddress.startsWith(“198.18.”) // 198.18.0.0/15 && !hostAddress.startsWith(“198.19.”) // 198.18.0.0/15 && !host.endsWith(“.arpa”); // reverse domain (needed?) } catch (MalformedURLException e) { return false; } catch (UnknownHostException e) { return false; } } else {