Decorate hte attachment download and generic web provider with the NoPrivateNetworkHttpClient

This is for security hardening to prevent SSRF attacks
2026-04-15 19:09:36 +00:00 · 2026-04-05 23:07:24 +02:00 · 2026-04-05 23:07:24 +02:00 · ad35ae6e9e
commit ad35ae6e9e
parent f12f808b34
2 changed files with 9 additions and 3 deletions
--- a/src/Services/Attachments/AttachmentSubmitHandler.php
+++ b/src/Services/Attachments/AttachmentSubmitHandler.php
@ -44,6 +44,7 @@ use App\Exceptions\AttachmentDownloadException;
 use App\Settings\SystemSettings\AttachmentsSettings;
 use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile;
 use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use const DIRECTORY_SEPARATOR;
 use InvalidArgumentException;
 use RuntimeException;
@ -95,6 +96,8 @@ class AttachmentSubmitHandler
            UserAttachment::class => 'user',
            LabelAttachment::class => 'label_profile',
        ];
+
+        $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
    }

    /**
@ -373,6 +376,7 @@ class AttachmentSubmitHandler
                ],

            ];
+
            $response = $this->httpClient->request('GET', $url, $opts);
            //Digikey wants TLSv1.3, so try again with that if we get a 403
            if ($response->getStatusCode() === 403) {
@ -434,8 +438,8 @@ class AttachmentSubmitHandler
            $new_path = $this->pathResolver->realPathToPlaceholder($new_path);
            //Save the path to the attachment
            $attachment->setInternalPath($new_path);
-        } catch (TransportExceptionInterface) {
-            throw new AttachmentDownloadException('Transport error!');
+        } catch (TransportExceptionInterface $exception) {
+            throw new AttachmentDownloadException('Transport error: '.$exception->getMessage());
        }

        return $attachment;
--- a/src/Services/InfoProviderSystem/Providers/GenericWebProvider.php
+++ b/src/Services/InfoProviderSystem/Providers/GenericWebProvider.php
@ -42,6 +42,7 @@ use Brick\Schema\Interfaces\Thing;
 use Brick\Schema\SchemaReader;
 use Brick\Schema\SchemaTypeList;
 use Symfony\Component\DomCrawler\Crawler;
+use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use Symfony\Contracts\HttpClient\HttpClientInterface;

 class GenericWebProvider implements InfoProviderInterface
@ -55,7 +56,8 @@ class GenericWebProvider implements InfoProviderInterface
        private readonly ProviderRegistry $providerRegistry, private readonly PartInfoRetriever $infoRetriever,
    )
    {
-        $this->httpClient = (new RandomizeUseragentHttpClient($httpClient))->withOptions(
+        //Use NoPrivateNetworkHttpClient to prevent SSRF vulnerabilities, and RandomizeUseragentHttpClient to make it harder for servers to block us
+        $this->httpClient = (new RandomizeUseragentHttpClient(new NoPrivateNetworkHttpClient($httpClient)))->withOptions(
            [
                'timeout' => 15,
            ]