LinkAce Server-Side Request Forgery Vulnerability in Link Creation

A server-side request forgery (SSRF) vulnerability has been identified in LinkAce, a self-hosted link management application, in versions through 2.0.0. The issue arises during the link creation process, where the server fetches HTML metadata from user-provided URLs. The validation rules for the LinkStoreRequest do not include a check to block private IP addresses, allowing requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. Although LinkAce has a NoPrivateIpRule class, it is not applied in the main link creation workflow, leaving a gap that can be exploited.

Impact

Exploitation of this vulnerability allows access to cloud metadata services in AWS, GCP, and Azure, where an authenticated user could retrieve sensitive information such as IAM credentials. Additionally, the vulnerability could be used to access internal Docker services or private IPs, revealing the internal network topology. The vulnerability could also be exploited for port scanning, potentially mapping internal services.

Reproduction

To reproduce this vulnerability, deploy LinkAce using the official Docker production setup. After logging in as any user, create a new link with a URL that points to a private IP address or a cloud metadata endpoint, such as 'http://169.254.169.254/latest/meta-data/'. The server will accept the link and make a request to the specified URL, bypassing the private IP validation. This vulnerability can also be reproduced by targeting internal Docker service hostnames or IP addresses.

Remediation

To address this vulnerability, the NoPrivateIpRule should be added to the LinkStoreRequest, LinkUpdateRequest, and BulkStoreLinksRequest models.