akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

feat(security): comprehensive SSRF protection implementation

Browse Source 
BREAKING CHANGE: UpdateService.SetAPIURL() now returns error

Implements defense-in-depth SSRF protection across all user-controlled URLs:

Security Fixes:
- CRITICAL: Fixed security notification webhook SSRF vulnerability
- CRITICAL: Added GitHub domain allowlist for update service
- HIGH: Protected CrowdSec hub URLs with domain allowlist
- MEDIUM: Validated CrowdSec LAPI URLs (localhost-only)

Implementation:
- Created /backend/internal/security/url_validator.go (90.4% coverage)
- Blocks 13+ private IP ranges and cloud metadata endpoints
- DNS resolution with timeout and IP validation
- Comprehensive logging of SSRF attempts (HIGH severity)
- Defense-in-depth: URL format → DNS → IP → Request execution

Testing:
- 62 SSRF-specific tests covering all attack vectors
- 255 total tests passing (84.8% coverage)
- Zero security vulnerabilities (Trivy, go vuln check)
- OWASP A10 compliant

Documentation:
- Comprehensive security guide (docs/security/ssrf-protection.md)
- Manual test plan (30 test cases)
- Updated API docs, README, SECURITY.md, CHANGELOG

Security Impact:
- Pre-fix: CVSS 8.6 (HIGH) - Exploitable SSRF
- Post-fix: CVSS 0.0 (NONE) - Vulnerability eliminated

Refs: #450 (beta release)
See: docs/plans/ssrf_remediation_spec.md for full specification
This commit is contained in:
GitHub Actions
2025-12-23 15:03:15 +00:00
parent be778f0e50
commit e0f69cdfc8
18 changed files with 5811 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/api.md
View File

@@ -133,6 +133,29 @@ Request Body (example):
Response 200: `{ "config": { ... } }`
**Security Considerations**:
Webhook URLs configured in security settings are validated to prevent Server-Side Request Forgery (SSRF) attacks. The following destinations are blocked:
- Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Cloud metadata endpoints (169.254.169.254)
- Loopback addresses (127.0.0.0/8)
- Link-local addresses
**Error Response**:
```json
{
"error": "Invalid webhook URL: URL resolves to a private IP address (blocked for security)"
}
```
**Example Valid URL**:
```json
{
"webhook_url": "https://webhook.example.com/receive"
}
```
#### Enable Cerberus
```http
@@ -1279,6 +1302,22 @@ Content-Type: application/json
}
```
**Security Considerations**:
Webhook URLs are validated to prevent SSRF attacks. Blocked destinations:
- Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Cloud metadata endpoints (169.254.169.254)
- Loopback addresses (127.0.0.0/8)
- Link-local addresses
**Error Response**:
```json
{
"error": "Invalid webhook URL: URL resolves to a private IP address (blocked for security)"
}
```
**All fields optional:**
- `enabled` (boolean) - Enable/disable all notifications