groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-04-16 03:19:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Decorate hte attachment download and generic web provider with the NoPrivateNetworkHttpClient

Browse source 
This is for security hardening to prevent SSRF attacks
This commit is contained in:
Jan Böhmer 2026-04-05 23:07:24 +02:00
parent f12f808b34
commit ad35ae6e9e
2 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Services/Attachments/AttachmentSubmitHandler.php
View file

@ -44,6 +44,7 @@ use App\Exceptions\AttachmentDownloadException;
use App\Settings\SystemSettings\AttachmentsSettings; use App\Settings\SystemSettings\AttachmentsSettings;
use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile; use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile;
use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile; use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile;
use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
use const DIRECTORY_SEPARATOR; use const DIRECTORY_SEPARATOR;
use InvalidArgumentException; use InvalidArgumentException;
use RuntimeException; use RuntimeException;
@ -95,6 +96,8 @@ class AttachmentSubmitHandler
UserAttachment::class => 'user', UserAttachment::class => 'user',
LabelAttachment::class => 'label_profile', LabelAttachment::class => 'label_profile',
]; ];
$this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
} }
/** /**
@ -373,6 +376,7 @@ class AttachmentSubmitHandler
], ],
]; ];
$response = $this->httpClient->request('GET', $url, $opts); $response = $this->httpClient->request('GET', $url, $opts);
//Digikey wants TLSv1.3, so try again with that if we get a 403 //Digikey wants TLSv1.3, so try again with that if we get a 403
if ($response->getStatusCode() === 403) { if ($response->getStatusCode() === 403) {
@ -434,8 +438,8 @@ class AttachmentSubmitHandler
$new_path = $this->pathResolver->realPathToPlaceholder($new_path); $new_path = $this->pathResolver->realPathToPlaceholder($new_path);
//Save the path to the attachment //Save the path to the attachment
$attachment->setInternalPath($new_path); $attachment->setInternalPath($new_path);
} catch (TransportExceptionInterface) { } catch (TransportExceptionInterface $exception) {
throw new AttachmentDownloadException('Transport error!'); throw new AttachmentDownloadException('Transport error: '.$exception->getMessage());
} }
return $attachment; return $attachment;

4
src/Services/InfoProviderSystem/Providers/GenericWebProvider.php
View file

@ -42,6 +42,7 @@ use Brick\Schema\Interfaces\Thing;
use Brick\Schema\SchemaReader; use Brick\Schema\SchemaReader;
use Brick\Schema\SchemaTypeList; use Brick\Schema\SchemaTypeList;
use Symfony\Component\DomCrawler\Crawler; use Symfony\Component\DomCrawler\Crawler;
use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
use Symfony\Contracts\HttpClient\HttpClientInterface; use Symfony\Contracts\HttpClient\HttpClientInterface;
class GenericWebProvider implements InfoProviderInterface class GenericWebProvider implements InfoProviderInterface
@ -55,7 +56,8 @@ class GenericWebProvider implements InfoProviderInterface
private readonly ProviderRegistry $providerRegistry, private readonly PartInfoRetriever $infoRetriever, private readonly ProviderRegistry $providerRegistry, private readonly PartInfoRetriever $infoRetriever,
) )
{ {
$this->httpClient = (new RandomizeUseragentHttpClient($httpClient))->withOptions( //Use NoPrivateNetworkHttpClient to prevent SSRF vulnerabilities, and RandomizeUseragentHttpClient to make it harder for servers to block us
$this->httpClient = (new RandomizeUseragentHttpClient(new NoPrivateNetworkHttpClient($httpClient)))->withOptions(
[ [
'timeout' => 15, 'timeout' => 15,
] ]