The WebAPI SparqlService suffers from a Server-Side Request Forgery (SSRF) vulnerability when the evidence service is enabled. Server-Side Request Forgery is an issue that allows an attacker to make arbitrary requests originating from the application’s server. Often this can be used to steal sensitive information, conduct port scans, or effect internal resources such as services listening on localhost or metadata services.
During source review of the WebAPI, it was found that the /WebAPI/evidence/linkoutdata/ can be used to make arbitrary HTTP requests from the application server to other resources due to the following code:
``
@get
@path("linkoutdata/{linkout}")
@produces(MediaType.APPLICATION_JSON)
public Collection getLinkout(@PathParam("linkout") String linkout) throws
JSONException, IOException {
String expandedURL = URIUtil.decode(linkout);
expandedURL = expandUrl(expandedURL);
expandedURL = URIUtil.decode(expandedURL);;
expandedURL = URIUtil.encodeQuery(expandedURL);
List infoOnLinkout = new ArrayList();
JSONArray lineItems = readJSONFeed(expandedURL);
...
public JSONArray readJSONFeed(String URL) throws JSONException {
StringBuilder stringBuilder = new StringBuilder();
HttpClient httpClient = new DefaultHttpClient();
HttpGet httpGet = new HttpGet(URL);
try {
HttpResponse response = httpClient.execute(httpGet);
StatusLine statusLine = response.getStatusLine();
int statusCode = statusLine.getStatusCode();
src/main/java/org/ohdsi/webapi/service/SparqlService.javaIf the evidence service was enabled, the following request would result in the SSRF request:
GET
/WebAPI/evidence/linkoutdata/http%3A%252F%252F2svjudf1pbqu0p3vmfaga99h288ywn.col.atredinomine.com%252Fl%252F
Proof of Concept
Recommendation(s)Continue to keep the evidence service disabled while it is not necessary. If the evidence service is ever required, use a whitelist in the readJSONFeed function to restrict requests to known-good resources.
ReferencesCWE-918: Server-Side Request Forgery (SSRF): https://cwe.mitre.org/data/definitions/918.html
The WebAPI SparqlService suffers from a Server-Side Request Forgery (SSRF) vulnerability when the evidence service is enabled. Server-Side Request Forgery is an issue that allows an attacker to make arbitrary requests originating from the application’s server. Often this can be used to steal sensitive information, conduct port scans, or effect internal resources such as services listening on localhost or metadata services.
During source review of the WebAPI, it was found that the /WebAPI/evidence/linkoutdata/ can be used to make arbitrary HTTP requests from the application server to other resources due to the following code:
``
@get
@path("linkoutdata/{linkout}")
@produces(MediaType.APPLICATION_JSON)
public Collection getLinkout(@PathParam("linkout") String linkout) throws
JSONException, IOException {
String expandedURL = URIUtil.decode(linkout);
expandedURL = expandUrl(expandedURL);
expandedURL = URIUtil.decode(expandedURL);;
expandedURL = URIUtil.encodeQuery(expandedURL);
List infoOnLinkout = new ArrayList();
JSONArray lineItems = readJSONFeed(expandedURL);
...
public JSONArray readJSONFeed(String URL) throws JSONException {
StringBuilder stringBuilder = new StringBuilder();
HttpClient httpClient = new DefaultHttpClient();
HttpGet httpGet = new HttpGet(URL);
try {
HttpResponse response = httpClient.execute(httpGet);
StatusLine statusLine = response.getStatusLine();
int statusCode = statusLine.getStatusCode();
src/main/java/org/ohdsi/webapi/service/SparqlService.javaIf the evidence service was enabled, the following request would result in the SSRF request:
GET
/WebAPI/evidence/linkoutdata/http%3A%252F%252F2svjudf1pbqu0p3vmfaga99h288ywn.col.atredinomine.com%252Fl%252F
Proof of Concept
Recommendation(s)Continue to keep the evidence service disabled while it is not necessary. If the evidence service is ever required, use a whitelist in the readJSONFeed function to restrict requests to known-good resources.
ReferencesCWE-918: Server-Side Request Forgery (SSRF): https://cwe.mitre.org/data/definitions/918.html