Hi Team,
While we were testing our security engine at Shieldfy (https://shieldfy.io), We found a server side request forgery (SSRF) vulnerability in Uppy npm package.
It allows hacker to easily extract inside information from the server or take control of internal services.
module name: Uppyversion:Latest: 1.8.0npm page: https://www.npmjs.com/package/uppy
Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. Itβs fast, easy to use and lets you worry about more important problems than building a file uploader.
[1] weekly downloads : 23,153
Server Side Request Forgery ( SSRF )
in the source code of the module
file: packages/@uppy/companion/src/server/controllers/url.js line: 11
You will find the express is routing the /get
endpoint to the function get
declared in line 43
Then it calls [`downloadURL` in line`61](https://github.com/transloadit/uppy/blob/746bbcbbc5dc64203390322b28fb380ec67bd94f/packages/%40uppy/companion/src/server/controllers/url.js#L61) and pass `req.body.url` to it as argument
in the function downloadURL
declared in line 80
It calls the url directly without any kind of sanitization or validation, opens the door to send malicious ssrf attack, allowing the hacker to extract information from any internal resource, or take control of any internal service.
Link button
http://169.254.169.254/metadata/v1/
id
hostname
user-data
vendor-data
public-keys
region
interfaces/
dns/
floating_ip/
tags/
features/
The suggested fix.
followAllRedirects
to avoid bypassesMore info about ssrf can be found here : https://shieldfy.io/security-wiki/server-side-request-forgery/server-side-request-forgery/