Benoit Tellier created JAMES-3691: ------------------------------------- Summary: JMAP Push: Prevent server-side request forgery Key: JAMES-3691 URL: https://issues.apache.org/jira/browse/JAMES-3691 Project: James Server Issue Type: Improvement Reporter: Benoit Tellier
https://jmap.io/spec-core.html#connection-to-unknown-push-server ``` The server MUST ensure the URL is externally resolvable to avoid server-side request forgery, where the server makes a request to a resource on its internal network. ``` We do not do that. We should resolve the hostname of the URL and reject it if it belong to one of these network: ``` Private network class A: 10.0.0.0 — 10.255.255.255 Private network class B: 172.16.0.0 — 172.31.255.255 Private network class C: 192.168.0.0 — 192.168.255.255 127.0. 0.0 to 127.255. 255.255 ``` This should be done at Push subscription creation, as well as when submitting push notifications. **DOD**: integretion tests rejecting server-side request forgery attemps against webadmin. Remark: not a CVE vulnerability as it is not part of any released artifact. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org