scripte/timemaster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): SSRF-Schutz für CalDAV-URLs

Browse Source 
Neue _validate_caldav_url() Funktion in caldav_service.py:
- Prüft Schema (nur http/https erlaubt)
- Blockiert private IP-Ranges (RFC 1918, Loopback, Link-local)
- DNS-Auflösung + Prüfung der aufgelösten IP (DNS-Rebinding-Schutz)
- Blockiert: 10/8, 172.16/12, 192.168/16, 127/8, 169.254/16, fc00::/7 etc.

Validierung in allen drei HTTP-Helpers (_http_put, _http_delete, _http_propfind)
sowie beim Speichern in caldav.py Router (company + user config) – doppelter Schutz.

Getestet: 8 böse URLs geblockt, 2 legitime URLs erlaubt (10/10 OK)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
patrick
2026-05-24 12:39:59 +02:00
parent 35fcea90f4
commit 1db7164837
2 changed files with 114 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/routers/caldav.py
+28
View File
@@ -50,6 +50,20 @@ async def save_company_config(
cfg = CaldavCompanyConfig(company_id=current_user.company_id, id=uuid.uuid4())
db.add(cfg)
# SSRF-Schutz: URL validieren bevor sie gespeichert wird
if data.calendar_url:
try:
from app.services.caldav_service import _validate_caldav_url
_validate_caldav_url(data.calendar_url)
except ValueError as exc:
raise HTTPException(status_code=400, detail=f"Ungültige Kalender-URL: {exc}")
if data.principal_url:
try:
from app.services.caldav_service import _validate_caldav_url
_validate_caldav_url(data.principal_url)
except ValueError as exc:
raise HTTPException(status_code=400, detail=f"Ungültige Principal-URL: {exc}")
cfg.enabled = data.enabled
cfg.principal_url = data.principal_url
cfg.calendar_url = data.calendar_url
@@ -112,6 +126,20 @@ async def save_user_config(
cfg = CaldavUserConfig(user_id=current_user.id, id=uuid.uuid4())
db.add(cfg)
# SSRF-Schutz: URL validieren bevor sie gespeichert wird
if data.calendar_url:
try:
from app.services.caldav_service import _validate_caldav_url
_validate_caldav_url(data.calendar_url)
except ValueError as exc:
raise HTTPException(status_code=400, detail=f"Ungültige Kalender-URL: {exc}")
if data.principal_url:
try:
from app.services.caldav_service import _validate_caldav_url
_validate_caldav_url(data.principal_url)
except ValueError as exc:
raise HTTPException(status_code=400, detail=f"Ungültige Principal-URL: {exc}")
cfg.enabled = data.enabled
cfg.principal_url = data.principal_url
cfg.calendar_url = data.calendar_url