Skip to content

Server-Side Request Forgery #1236

Description

@konstjar

The WebAPI SparqlService suffers from a Server-Side Request Forgery (SSRF) vulnerability when the evidence service is enabled. Server-Side Request Forgery is an issue that allows an attacker to make arbitrary requests originating from the application’s server. Often this can be used to steal sensitive information, conduct port scans, or effect internal resources such as services listening on localhost or metadata services.

During source review of the WebAPI, it was found that the /WebAPI/evidence/linkoutdata/ can be used to make arbitrary HTTP requests from the application server to other resources due to the following code:

``
@get
@path("linkoutdata/{linkout}")
@produces(MediaType.APPLICATION_JSON)
public Collection getLinkout(@PathParam("linkout") String linkout) throws
JSONException, IOException {
String expandedURL = URIUtil.decode(linkout);
expandedURL = expandUrl(expandedURL);
expandedURL = URIUtil.decode(expandedURL);;
expandedURL = URIUtil.encodeQuery(expandedURL);
List infoOnLinkout = new ArrayList();
JSONArray lineItems = readJSONFeed(expandedURL);
...
public JSONArray readJSONFeed(String URL) throws JSONException {
StringBuilder stringBuilder = new StringBuilder();
HttpClient httpClient = new DefaultHttpClient();
HttpGet httpGet = new HttpGet(URL);
try {
HttpResponse response = httpClient.execute(httpGet);
StatusLine statusLine = response.getStatusLine();
int statusCode = statusLine.getStatusCode();

src/main/java/org/ohdsi/webapi/service/SparqlService.javaIf the evidence service was enabled, the following request would result in the SSRF request:

GET
/WebAPI/evidence/linkoutdata/http%3A%252F%252F2svjudf1pbqu0p3vmfaga99h288ywn.col.atredinomine.com%252Fl%252F

Proof of Concept

Recommendation(s)Continue to keep the evidence service disabled while it is not necessary. If the evidence service is ever required, use a whitelist in the readJSONFeed function to restrict requests to known-good resources.

ReferencesCWE-918: Server-Side Request Forgery (SSRF): https://cwe.mitre.org/data/definitions/918.html

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions