[
https://issues.apache.org/jira/browse/JAMES-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
René Cordier closed JAMES-3691.
-------------------------------
Fix Version/s: 3.7.0
Resolution: Fixed
> JMAP Push: Prevent server-side request forgery
> ----------------------------------------------
>
> Key: JAMES-3691
> URL: https://issues.apache.org/jira/browse/JAMES-3691
> Project: James Server
> Issue Type: Improvement
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: 3.7.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> https://jmap.io/spec-core.html#connection-to-unknown-push-server
> ```
> The server MUST ensure the URL is externally resolvable to avoid server-side
> request forgery, where the server makes a request to a resource on its
> internal network.
> ```
> We do not do that.
> We should resolve the hostname of the URL and reject it if it belong to one
> of these network:
> ```
> Private network class A: 10.0.0.0 — 10.255.255.255
> Private network class B: 172.16.0.0 — 172.31.255.255
> Private network class C: 192.168.0.0 — 192.168.255.255
> 127.0. 0.0 to 127.255. 255.255
> ```
> This should be done at Push subscription creation, as well as when submitting
> push notifications.
> **DOD**: integretion tests rejecting server-side request forgery attemps
> against webadmin.
> Remark: not a CVE vulnerability as it is not part of any released artifact.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
