Skip to content

safeurl-python contains Server-Side Request Forgery

Moderate severity GitHub Reviewed Published Jan 26, 2023 in IncludeSecurity/safeurl-python • Updated Nov 22, 2024

Package

pip safeurl-python (pip)

Affected versions

< 1.2

Patched versions

1.2

Description

Description

In SafeURL it is possible to specify a list of domains that should be matched before a request is sent out. The regex used to compare domains did not work as intended.

Impact

The regex used was:

re.match("(?i)^%s" % domain, value)

This has two problems, first that only the beginning and not the end of the string is anchored. Second, that a dot in the domain matches any character as part of regex syntax.

Therefore, an allowlist of ["victim.com"] could allow the domain "victimacomattacker.com" to be requested.

This has lower impact since the usual attacker aim in an SSRF is to request internal resources such as private IP addresses rather than an attacker's own domain. But, in a case where SafeURL had specifically been used to try to limit requests to a particular allowlist, say for example a PDF renderer, the finding would be more severe.

Patches

Fixed in IncludeSecurity/safeurl-python#5

References

Server-side request forgery (SSRF)

References

Published to the GitHub Advisory Database Jan 27, 2023
Reviewed Jan 27, 2023
Last updated Nov 22, 2024

Severity

Moderate

EPSS score

0.077%
(35th percentile)

Weaknesses

CVE ID

CVE-2023-24622

GHSA ID

GHSA-jgh8-vchw-q3g7

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.