go-sonic Server-Side Request Forgery Vulnerability in Theme Fetching API

A server-side request forgery (SSRF) vulnerability has been identified in go-sonic versions through 1.1.4. The issue arises in the theme fetching API, specifically within the FetchTheme function of the git_fetcher.go file. This vulnerability allows authenticated administrators to manipulate the 'uri' argument, leading the server to make unintended HTTP requests to internal or external URLs. Additionally, it enables access to local files using the 'file://' protocol. The vulnerability can be exploited remotely, and a proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an authenticated administrator can make the server send requests to arbitrary URLs. This could be used to access internal services, read local files, or probe cloud metadata endpoints in environments like AWS, GCP, or Azure.

Reproduction

To reproduce this vulnerability, an authenticated administrator must send a POST request to the /api/admin/themes/fetching endpoint, including a manipulated 'uri' parameter. The 'Admin-Authorization' header must be used to authenticate the request. Once the request is sent, the server will process the 'uri' as a Git repository URL, but without any validation, allowing for SSRF exploitation.

Remediation

It is recommended to implement strict URL validation to allow only trusted domains, block dangerous protocols like 'file://', and prevent requests to internal IP ranges. Additionally, DNS rebinding protection should be considered by resolving DNS before making requests and validating the IP.