Server side request forgery

operations.hr-manage · March 13, 2018, 7:29am

Example
A HTML document was created with the content below, and saved as “test.html”.

<html>
  <body>
    <img  src="http://our-server.com/image.jpg">
  </body>
</html>

The HTML document includes a reference a image. Note that the source (src) attribute on the tag was pointing to a server for which access logs were available.

The file extension of the document was then was renamed to “test.odt”. Now, Aspose tools were used to convert the document to PDF. During this process, the tool would request the referenced image. This could also be confirmed by the logs from “our-server.com” that the file was accessed.

In our application, the Aspose components are running in a web application. A user may upload a file to the server, which is then converted to PDF before storage. This scenario opens up for server side request forgery.

Server side request forgery occurs when an attacker can coerce a web application to perform HTTP requests toward a attacker-controlled location. Because the security posture often differ between local networks to external networks, an attacker able to make requests on behalf of the server, bypasses external network trust borders like firewalls in order to communicate with any local service. Services local to the server might lack security measures often found in externally exposed services, under the belief that local network communication is trusted. An attacker can exploit these conditions to access sensitive information served by a local service.

How can this behavior be disabled in Aspose tools?

operations.hr-manage · March 13, 2018, 7:31am

The sample HTML document was stripped away due to HTML tags. Trying again by replacing the brackets with different ones.

[html]
[body]
[img src="http://our-server.com/image.jpg"]
[/body]
[/html]

asad.ali · March 13, 2018, 9:24am

@operations.hr-manage

Thanks for contacting support.

We are analyzing your requirement and will share our feedback with you soon. Meanwhile, would you please share sample code snippet, which you are using in your application along with your environment details (i.e hosting server, application platform, API Version, etc.). This would help us analyzing the scenario and provide feedback accordingly.

operations.hr-manage · March 13, 2018, 9:56am

Hi,

I am attaching a code snippet. The conversion from ODT to PDF in this case is done using Aspose.Words.

Aspose Code Snippet.zip (688 Bytes)

tahir.manzoor · March 13, 2018, 5:26pm

@operations.hr-manage,

Thanks for your inquiry. In your case, we suggest you please implement IResourceLoadingCallback interface. This interface allows you to control how Aspose.Words loads external resource when importing a document from HTML. Please check the following code example. Hope this helps you.

public class HandleURIResourceLoading : IResourceLoadingCallback
{
    public ResourceLoadingAction ResourceLoading(ResourceLoadingArgs args)
    {
        if (!args.OriginalUri.StartsWith("http://our-server.com/"))
        {
            return ResourceLoadingAction.Skip;
        }
                

        return ResourceLoadingAction.Default;
    }
}

HtmlLoadOptions options = new HtmlLoadOptions();
options.ResourceLoadingCallback = new HandleURIResourceLoading();
Document doc = new Document(MyDir + "in.html", options);
doc.Save(MyDir + "18.3.pdf");