fix[SSRF]: Arbitrary File Read Vulnerability

[gkhngyk]

• Check if the URL has a valid HTTP or HTTPS protocol

Vulnerability:huntr
Found By: evrenyal

Vulnerability Details

Description
Langchain “PlaywrightWebBaseLoader” allows reading arbitrary files from the server.

Proof Of Concept

import { PlaywrightWebBaseLoader } from "langchain/document_loaders/web/playwright";

/**
 * Loader uses `page.content()`
 * as default evaluate function
 **/
const loader = new PlaywrightWebBaseLoader("file://");

const docs = await loader.load();
console.log(docs);

Response :

[
  Document {
    pageContent: '<html><head><script>start("/");</script>\n' +
      '<script>addRow("bin","bin",1,4096,"4.0 kB",1715852092,"5/16/24, 9:34:52 AM");</script>\n' +
      '<script>addRow("boot","boot",1,4096,"4.0 kB",1650277739,"4/18/22, 10:28:59 AM");</script>\n' +
      '<script>addRow("dev","dev",1,360,"360 B",1715851806,"5/16/24, 9:30:06 AM");</script>\n' +
      '<script>addRow("etc","etc",1,4096,"4.0 kB",1715852092,"5/16/24, 9:34:52 AM");</script>\n' +
      '<script>addRow("home","home",1,4096,"4.0 kB",1715040473,"5/7/24, 12:07:53 AM");</script>\n' +
      '<script>addRow("lib","lib",1,4096,"4.0 kB",1715040501,"5/7/24, 12:08:21 AM");</script>\n' +
      '<script>addRow("lib32","lib32",1,4096,"4.0 kB",1714183354,"4/27/24, 2:02:34 AM");</script>\n' +
      '<script>addRow("lib64","lib64",1,4096,"4.0 kB",1714183549,"4/27/24, 2:05:49 AM");</script>\n' +
      '<script>addRow("libx32","libx32",1,4096,"4.0 kB",1714183354,"4/27/24, 2:02:34 AM");</script>\n' +
      '<script>addRow("media","media",1,4096,"4.0 kB",1714183355,"4/27/24, 2:02:35 AM");</script>\n' +
      '<script>addRow("mnt","mnt",1,4096,"4.0 kB",1714183355,"4/27/24, 2:02:35 AM");</script>\n' +
      '<script>addRow("ms-playwright","ms-playwright",1,4096,"4.0 kB",1715853455,"5/16/24, 9:57:35 AM");</script>\n' +
      '<script>addRow("opt","opt",1,4096,"4.0 kB",1714183355,"4/27/24, 2:02:35 AM");</script>\n' +
      '<script>addRow("proc","proc",1,0,"0 B",1715851806,"5/16/24, 9:30:06 AM");</script>\n' +
      '<script>addRow("root","root",1,4096,"4.0 kB",1715852343,"5/16/24, 9:39:03 AM");</script>\n' +
      '<script>addRow("run","run",1,4096,"4.0 kB",1715040489,"5/7/24, 12:08:09 AM");</script>\n' +
      '<script>addRow("sbin","sbin",1,4096,"4.0 kB",1715040501,"5/7/24, 12:08:21 AM");</script>\n' +
      '<script>addRow("srv","srv",1,4096,"4.0 kB",1714183355,"4/27/24, 2:02:35 AM");</script>\n' +
      '<script>addRow("sys","sys",1,0,"0 B",1715851806,"5/16/24, 9:30:06 AM");</script>\n' +
      '<script>addRow("tmp","tmp",1,4096,"4.0 kB",1715853458,"5/16/24, 9:57:38 AM");</script>\n' +
      '<script>addRow("usr","usr",1,4096,"4.0 kB",1714183355,"4/27/24, 2:02:35 AM");</script>\n' +
      '<script>addRow("var","var",1,4096,"4.0 kB",1714183554,"4/27/24, 2:05:54 AM");</script>\n' +
      '<script>addRow(".dockerenv",".dockerenv",0,0,"0 B",1715851806,"5/16/24, 9:30:06 AM");</script>\n' +
      '</head><body></body></html>',
    metadata: { source: 'file://' }
  }
]

Impact
An attacker can use the “file://” url scheme and retrieve the content of arbitrary files on the system, that leads to sensitive information exposure.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
langchainjs-api-refs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 25, 2024 0:23am
langchainjs-docs	✅ Ready (Inspect)	Visit Preview		May 25, 2024 0:23am

[jacoblee93]

I responded on the original bug - this is a thin proxy over Playwright, and this issue feels like a feature of the URI spec?

What if someone is using this feature?

Wouldn't it be more suitable to open a PR on Playwright?

[gkhngyk]

I responded on the original bug - this is a thin proxy over Playwright, and this issue feels like a feature of the URI spec?

What if someone is using this feature?

Wouldn't it be more suitable to open a PR on Playwright?

We offer Playwright as a document loader in Langchain.
PlaywrightWebBaseLoader is our class. And our class can forward sensitive files on the server to users. So I think it's right to open PR here.

I think we should take security measures for the codes we write, at least as much as we can.

[jacoblee93]

Seems like a bug on Playwright to me. Perhaps there's a setting on their end?

[gkhngyk]

SSRF is mentioned in the Langchain Python library. Instead of a url controller like in the commit, it would be useful to provide information like in the link.

[jacoblee93]

Yeah I'm fine with adding a docstring, slightly more wary about making a code change (again, this is a proxy/translation layer on top of Playwright).

[gkhngyk]

Great, I'm going to delete the code in the commit and add docstring.