Issue with aspose pdf: SSRF vulnerability

rnara · May 21, 2025, 5:16am

When customer create rendition from html file which contains iframe, exposing the CTS server IIS start page, they get the IIS link printed on the output file which on clicking takes us to Microsoft IIS website.
Below are steps to repoduce:

Start IIS server with default website.
create a html file like below:

 <html>
    <body>
        <iframe src="http://127.0.0.1:80/" frameborder="0"></iframe>
    </body>
</html>

I have used below code to get the output using aspose pdf to transform html to pdf.

HtmlLoadOptions htmlLoadOptions = new HtmlLoadOptions();
Document pdfDocument = new Document(htmlFilePath, htmlLoadOptions);
pdfDocument.save(outputPdfPath);

I have attached input and output file in the zip.
files.zip (72.8 KB)

Thanks,
Krishna

Professionalize.Discourse · May 21, 2025, 5:16am

@rnara

It appears that you are encountering a potential SSRF (Server-Side Request Forgery) vulnerability when using Aspose PDF to convert an HTML file containing an iframe that points to a local server. This issue arises because the output PDF includes a link to the IIS server’s start page, which can be accessed when clicked.

To address this issue, it is important to ensure that your application does not allow the inclusion of local or sensitive URLs in the HTML content being processed. Here are some steps you can take to mitigate this vulnerability:

Input Validation: Implement strict validation on the URLs that can be included in the HTML content. Ensure that only safe and intended URLs are allowed.
Sanitization: Before processing the HTML, sanitize the content to remove or alter any iframe tags or links that point to local resources or sensitive endpoints.
Configuration Settings: Check if there are any configuration settings in Aspose PDF that can help restrict the processing of local URLs or iframes.
Security Review: Conduct a thorough security review of your application to identify and address any other potential vulnerabilities.

If you need further assistance or have specific questions about implementing these measures, feel free to ask. Additionally, if you have any logs or error messages related to this issue, sharing them could help in diagnosing the problem more effectively.

For more information on this topic, you might want to refer to discussions on SSRF vulnerabilities in web applications, as they can provide insights into best practices for securing your application.

Sources:
[1]: SSRF vulnerability in Aspose PDF Web Converter - Aspose Assistant conversation with customer on Tuesday, November 23rd 2021, 2:34:48 pm

rnara · May 27, 2025, 4:56am

Hi,
Any update on this?
We were going through the below link for the fix,
Web App Security When Loading Resources|Aspose.Words for .NET
And we see solution for .NET.
Is there any similar option for Java?
Thanks,
Krishna

asad.ali · May 27, 2025, 5:35pm

@rnara

We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): PDFJAVA-45034

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

rnara · May 28, 2025, 5:13am

Hi @asad.ali,
Can we confirm this as a bug?
Thanks,
Krishna

asad.ali · May 28, 2025, 5:19pm

@rnara

We are afraid that we cannot further comment prior to the investigation. As soon as we make some progress in investigating the issue, we will be sharing our feedback with you. Please be patient and spare us some time.

We are sorry for the inconvenience.