Issue with aspose pdf: SSRF vulnerability

When customer create rendition from html file which contains iframe, exposing the CTS server IIS start page, they get the IIS link printed on the output file which on clicking takes us to Microsoft IIS website.
Below are steps to repoduce:

1. Start IIS server with default website.
2. create a html file like below:

 <html>
    <body>
        <iframe src="http://127.0.0.1:80/" frameborder="0"></iframe>
    </body>
</html>

3. I have used below code to get the output using aspose pdf to transform html to pdf.

HtmlLoadOptions htmlLoadOptions = new HtmlLoadOptions();
Document pdfDocument = new Document(htmlFilePath, htmlLoadOptions);
pdfDocument.save(outputPdfPath);

I have attached input and output file in the zip.
files.zip (72.8 KB)

Thanks,
Krishna

@rnara

It appears that you are encountering a potential SSRF (Server-Side Request Forgery) vulnerability when using Aspose PDF to convert an HTML file containing an iframe that points to a local server. This issue arises because the output PDF includes a link to the IIS server’s start page, which can be accessed when clicked.

To address this issue, it is important to ensure that your application does not allow the inclusion of local or sensitive URLs in the HTML content being processed. Here are some steps you can take to mitigate this vulnerability:

1. Input Validation: Implement strict validation on the URLs that can be included in the HTML content. Ensure that only safe and intended URLs are allowed.

2. Sanitization: Before processing the HTML, sanitize the content to remove or alter any iframe tags or links that point to local resources or sensitive endpoints.

3. Configuration Settings: Check if there are any configuration settings in Aspose PDF that can help restrict the processing of local URLs or iframes.

4. Security Review: Conduct a thorough security review of your application to identify and address any other potential vulnerabilities.

If you need further assistance or have specific questions about implementing these measures, feel free to ask. Additionally, if you have any logs or error messages related to this issue, sharing them could help in diagnosing the problem more effectively.

For more information on this topic, you might want to refer to discussions on SSRF vulnerabilities in web applications, as they can provide insights into best practices for securing your application.

Sources:
[1]: SSRF vulnerability in Aspose PDF Web Converter - Aspose Assistant conversation with customer on Tuesday, November 23rd 2021, 2:34:48 pm

Hi,
Any update on this?
We were going through the below link for the fix,
Web App Security When Loading Resources|Aspose.Words for .NET
And we see solution for .NET.
Is there any similar option for Java?
Thanks,
Krishna

@rnara

We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): PDFJAVA-45034

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

Hi @asad.ali,
Can we confirm this as a bug?
Thanks,
Krishna

@rnara

We are afraid that we cannot further comment prior to the investigation. As soon as we make some progress in investigating the issue, we will be sharing our feedback with you. Please be patient and spare us some time.

We are sorry for the inconvenience.

Hi @asad.ali ,
Any updates on this issue?
Thanks,
Krishna

@rnara

Regretfully, the ticket hasn’t been resolved yet. We will let you know as soon as we have some certain news about its resolution. Please be patient and spare us some time.

We are sorry for the inconvenience.

Hi @asad.ali,
Any update on this?
Can you please give ETA?
Thanks,
Krishna

@rnara

We are afraid that the ticket hasn’t been yet investigated and as soon as we make some progress in this regard, we will inform you. Please be patient and spare us some time.

We are sorry for the inconvenience.

Hi @asad.ali ,
Any updates on this?
Thanks,
Krishna

@rnara

We are afraid that the earlier logged ticket hasn’t been completely investigated yet. However, as soon as we make some progress in this regard, we will update you via this forum thread. Please be patient and spare us some time.

We are sorry for the inconvenience.

Hi @asad.ali , Please let us know how to address this potential SSRF vulnerability with Aspose Java libs.

@rnara

We regret to inform you that the previously logged ticket remains unresolved, and we are currently unable to provide a definitive ETA for its resolution. Rest assured, as soon as the investigation is completed, we will promptly update you with the resolution timeline.

We sincerely appreciate your understanding and patience during this time and apologize for any inconvenience caused.

@asad.ali : Please share update on this issue. Ticket is open for 4 months without progressive update. Can you please provide the fix or ETA sooner as this is impacting security compliance.

@rnara

Regretfully, the ticket could not get resolved yet. Please note that it is under investigation phase. We are afraid that an ETA is not possible to be provided as analysis is not complete. Your concerns have already been noted and we will surely update you as soon as the ticket is resolved. We highly appreciate your patience and comprehension in this regard.

We apologize for the inconvenience.

Hi @asad.ali
Is there any update regarding this issue since the ticket is open for a long time ?

@rsv2

We are afraid that ticket could not get resolved due to other issues in the queue logged prior to it. However, we will surely inform you as soon as we make some progress towards resolution of this ticket. We highly appreciate your patience and comprehension in this regard. We apologize for the inconvenience.