Dify Server-Side Request Forgery Vulnerability in Remote File Upload API

A server-side request forgery (SSRF) vulnerability has been identified in Dify version 1.0. The issue arises in the RemoteFileUploadApi component, where the application improperly validates URL parameters, allowing unauthorized users to make outbound requests to internal or external services.

Impact

Exploitation of this vulnerability allows for unauthorized SSRF, where an attacker can make requests from the server to internal services or external systems, potentially leading to further exploitation or information disclosure.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/console/api/remote-files/upload' endpoint with a URL parameter pointing to an external address. The request will be processed by the RemoteFileUploadApi, which will make an outbound request to the specified URL without proper authentication or validation.

Remediation

It is recommended to implement authentication for the RemoteFileUploadApi interface to prevent unauthorized access.