groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-05-11 07:22:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Decorate hte attachment download and generic web provider with the NoPrivateNetworkHttpClient

Browse source 
This is for security hardening to prevent SSRF attacks
This commit is contained in:
Jan Böhmer 2026-04-05 23:07:24 +02:00
parent f12f808b34
commit ad35ae6e9e
2 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/Services/InfoProviderSystem/Providers/GenericWebProvider.php
View file

@ -42,6 +42,7 @@ use Brick\Schema\Interfaces\Thing;
use Brick\Schema\SchemaReader;
use Brick\Schema\SchemaTypeList;
use Symfony\Component\DomCrawler\Crawler;
use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
use Symfony\Contracts\HttpClient\HttpClientInterface;
class GenericWebProvider implements InfoProviderInterface
@ -55,7 +56,8 @@ class GenericWebProvider implements InfoProviderInterface
private readonly ProviderRegistry $providerRegistry, private readonly PartInfoRetriever $infoRetriever,
)
{
$this->httpClient = (new RandomizeUseragentHttpClient($httpClient))->withOptions(
//Use NoPrivateNetworkHttpClient to prevent SSRF vulnerabilities, and RandomizeUseragentHttpClient to make it harder for servers to block us
$this->httpClient = (new RandomizeUseragentHttpClient(new NoPrivateNetworkHttpClient($httpClient)))->withOptions(
[
'timeout' => 15,
]