[jira] [Created] (JAMES-3691) JMAP Push: Prevent server-side request forgery

Benoit Tellier (Jira) Sun, 09 Jan 2022 21:14:05 -0800

Benoit Tellier created JAMES-3691:
-------------------------------------

             Summary: JMAP Push: Prevent server-side request forgery
                 Key: JAMES-3691
                 URL: https://issues.apache.org/jira/browse/JAMES-3691
             Project: James Server
          Issue Type: Improvement
            Reporter: Benoit Tellier



https://jmap.io/spec-core.html#connection-to-unknown-push-server

```
The server MUST ensure the URL is externally resolvable to avoid server-side 
request forgery, where the server makes a request to a resource on its internal 
network.
```

We do not do that.

We should resolve the hostname of the URL and reject it if it belong to one of 
these network:

```
Private network class A: 10.0.0.0 — 10.255.255.255
Private network class B: 172.16.0.0 — 172.31.255.255 
Private network class C: 192.168.0.0 — 192.168.255.255 
127.0. 0.0 to 127.255. 255.255
```

This should be done at Push subscription creation, as well as when submitting 
push notifications.

**DOD**: integretion tests rejecting server-side request forgery attemps 
against webadmin.

Remark: not a CVE vulnerability as it is not part of any released artifact.




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (JAMES-3691) JMAP Push: Prevent server-side request forgery

Reply via email to