Node.js third-party modules: [Uppy] Internal Server side request forgery (bypass of #786956)

2020-06-04T20:42:14
ID H1:891270
Type hackerone
Reporter mahmoud0x00
Modified 2020-06-28T13:50:00

Description

I would like to report Internal Server-side request forgery in Uppy It allows the attacker to easily extract information from internal servers

Module

module name: Uppy version:1.15.0 npm page: https://www.npmjs.com/package/uppy

Module Description

Uppy is a sleek, modular JavaScript file uploader that integrates seamlessly with any application. It’s fast, easy to use and lets you worry about more important problems than building a file uploader.

Module Stats

[1] weekly downloads: 37,599

Vulnerability

Server-Side Request Forgery (SSRF)

Vulnerability Description

When I checked your fix on #786956, I noticed that you fixed this issue by doing a check on the host 's IP address against a blacklist before passing it to the server to fetch (You can check that here, But you forgot to stop redirection to these IP addresses, therefore attacker can create a host or file and redirect all requests which are being received to a specific internal host, this will bypass your check, in the first phase, System will check if this host is allowed or no, if it is allowed, Server will pass the request. But it won't be able to verify which host is being redirected to.

Steps To Reproduce:

  • feel free to set up a custom Uppy version on your server and try these steps on

  • Go to https://uppy.io/

  • Choose download file via a link
  • Pass this link to the system https://tinyurl.com/gqdv39p (it redirects to http://169.254.169.254/metadata/v1/)
  • Upload fetched file
  • Download that file
  • Open that file and you should see a copy of DigitalOcean 's metadata host response ██████

Supporting Material/References:

███

Wrap up

> Select Y or N for the following statements:

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N

Impact

Unauthorized access to sensitive info on internal hosts/services.