I would like to report Internal Server-side request forgery
in Uppy
It allows the attacker to easily extract information from internal servers
module name: Uppyversion:1.15.0npm page: https://www.npmjs.com/package/uppy
Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. Itβs fast, easy to use and lets you worry about more important problems than building a file uploader.
[1] weekly downloads: 37,599
Server-Side Request Forgery (SSRF)
When I checked your fix on #786956, I noticed that you fixed this issue by doing a check on the host 's IP address against a blacklist before passing it to the server to fetch (You can check that here, But you forgot to stop redirection to these IP addresses, therefore attacker can create a host or file and redirect all requests which are being received to a specific internal host, this will bypass your check, in the first phase, System will check if this host is allowed or no, if it is allowed, Server will pass the request. But it wonβt be able to verify which host is being redirected to.
https://tinyurl.com/gqdv39p
(it redirects to http://169.254.169.254/metadata/v1/
)βββ
> Select Y or N for the following statements:
Unauthorized access to sensitive info on internal hosts/services.