Skip to content

Commit

Permalink
Merge pull request from GHSA-gph5-rx77-3pjg
Browse files Browse the repository at this point in the history
fix: validate the url to avoid SSRF
  • Loading branch information
fred-bf authored Jun 24, 2024
2 parents 78e7ea7 + 9fb8fbc commit dad1221
Showing 1 changed file with 17 additions and 3 deletions.
20 changes: 17 additions & 3 deletions app/api/webdav/[...path]/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ const mergedAllowedWebDavEndpoints = [
...config.allowedWebDevEndpoints,
].filter((domain) => Boolean(domain.trim()));

const normalizeUrl = (url: string) => {
try {
return new URL(url);
} catch (err) {
return null;
}
};

async function handle(
req: NextRequest,
{ params }: { params: { path: string[] } },
Expand All @@ -24,9 +32,15 @@ async function handle(

// Validate the endpoint to prevent potential SSRF attacks
if (
!mergedAllowedWebDavEndpoints.some(
(allowedEndpoint) => endpoint?.startsWith(allowedEndpoint),
)
!endpoint ||
!mergedAllowedWebDavEndpoints.some((allowedEndpoint) => {
const normalizedAllowedEndpoint = normalizeUrl(allowedEndpoint);
const normalizedEndpoint = normalizeUrl(endpoint as string);

return normalizedEndpoint &&
normalizedEndpoint.hostname === normalizedAllowedEndpoint?.hostname &&
normalizedEndpoint.pathname.startsWith(normalizedAllowedEndpoint.pathname);
})
) {
return NextResponse.json(
{
Expand Down

0 comments on commit dad1221

Please sign in to comment.