Client-Side CSRF/SSRF from gisweb.azureedge.net response

[emanuelb]

Here the response of request to https://gisweb.azureedge.net/get_config.json?r=${Math.random()} (assumed json is returned) will be stored in configUrls variable, which some data in the json configUrls.data[env] is passed to downloadAndVerifySigning function, that will use without verification and whitelisted domains as input to axios.get('${url}.sign?r=${Math.random()}' command.

hamagen-react-native/src/config/config.ts

Lines 15 to 16 in c981f8f

	const configUrls = await axios.get(`https://gisweb.azureedge.net/get_config.json?r=${Math.random()}`, { headers: { 'Content-Type': 'application/json;charset=utf-8' } });
	const data = await downloadAndVerifySigning(configUrls.data[env]);

hamagen-react-native/src/services/SigningService.ts

Lines 5 to 7 in 4c13112

	export const downloadAndVerifySigning = (url: string) => new Promise<any>(async (resolve, reject) => {
	try {
	const { data }: { data: string } = await axios.get(`${url}.sign?r=${Math.random()}`, { headers: { 'Content-Type': 'application/json;charset=utf-8' } });

thus the server can return any URIs (not just https:// but http:// as well, for any domain, such as: http://192.168.1.1 to attack local network resources, such as routers, etc...)

the .sign?r= addition is easily bypassed/ignored by adding # or &x= to the url (it will be part of the hash or additional parameter)

fix: implement white-list in the application of allowed hosts (only in https:// protocol) that can be used in the request for the signed data.