Outsource SSRF mitigation implementation in dashboard to community #1759
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
User Story
In order to maximize our chances of blocking SSRF attempts with minimal ongoing maintenance, the data.gov team wants to use a community-maintained PHP SSRF blocking solution in place of our own code.
Acceptance Criteria
curl_exec()in a checkout ofdashboard-appTHEN I see no results outside the
vendordirectory other thansafecurl_exec().filter_remote_url()THEN I see no bespoke code, only calls to safecurl.
Background
We have written our own SSRF mitigation code for the dashboard but we have found again and again that there are cases we haven't thought of. We should be teaming up with a community effort to reduce our risk and maintenance friction for the dashboard. The j0k3r PHP package looks the most maintained and used, but we know that it doesn't handle IPv6 addresses (whereas our existing implementation does).
Security Considerations (required)
This change will maintain the existing security profile due to existing tests that capture our expectations, and potentially improve our security due to more cases being blocked.
Sketch
j0k3r/safecurllibrary and use it in filter_remote_url() and the curl_*() api helper functions.j0k3r/safecurlfork to implement the missing IPv6 filtering.The text was updated successfully, but these errors were encountered: