Fix redirection #694
Fix redirection #694
Conversation
* init * upgrade neo * useDiagnostic * Update RpcServer.SmartContract.cs * invoke tree * add event * Add storage changes * Update nuget * rename event state * Unify * update neofs * fix json Co-authored-by: Shargon <[email protected]> Co-authored-by: Erik Zhang <[email protected]> Co-authored-by: Owen Zhang <[email protected]>
* add in file copyright * fix the copyright * update copyright start year * Delete copyright.sh * Delete copyright.txt Co-authored-by: Owen Zhang <[email protected]> Co-authored-by: Erik Zhang <[email protected]>
* init * refac Co-authored-by: Shargon <[email protected]>
| @@ -62,6 +72,14 @@ public async Task<(OracleResponseCode, string)> ProcessAsync(Uri uri, Cancellati | |||
| return (OracleResponseCode.Error, null); | |||
| if (!Settings.Default.AllowedContentTypes.Contains(message.Content.Headers.ContentType.MediaType)) | |||
| return (OracleResponseCode.ContentTypeNotSupported, null); | |||
|
|
|||
| if (!Settings.Default.AllowPrivateHost && message.RequestMessage.RequestUri != uri) | |||
There was a problem hiding this comment.
I don't think it really works to prevent ssrf since the request is already sent in the line:
message = await client.GetAsync(uri, HttpCompletionOption.ResponseContentRead, cancellation);
There was a problem hiding this comment.
Yes. It will leak information such as resource existence at least because this check is not the first branch.
There was a problem hiding this comment.
Agree with @vang1ong7ang , I think that the redirection must be manual like #692
There was a problem hiding this comment.
yeah, should not assume GET requests have no side effect.
|
i prefer to avoid the request happening. not only the final content uploading. |
|
dns rebinding should be also considered |
It seems that it's difficult to prevent SSRF in .Net. |
|
@dusmart also in golang i think |
|
Since we support https only, I think we don't need to worry about dns rebinding. |
Fix #693