pygeoapi Unauthenticated Server-Side Request Forgery Vulnerability in OGC API Process Execution

A server-side request forgery (SSRF) vulnerability has been identified in pygeoapi versions 0.23.0 prior to 0.23.3. This vulnerability allows OGC API process execution requests to use the subscriber object to make requests to internal HTTP services. The issue arises because, by default, HTTP requests to internal resources are not allowed, but this restriction can be bypassed by enabling the 'allow_internal_requests' option in the process configuration.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to be made to internal services, which could potentially be used to access sensitive information or perform actions on behalf of the server.

Reproduction

To reproduce this vulnerability, create a process in pygeoapi version 0.23.0 prior to 0.23.3 that includes a subscriber object with a 'in_progress_uri' pointing to an internal HTTP service. When the process is executed, it will send a request to the specified internal service, bypassing the default restriction against such requests.

Remediation

Users are advised to update to pygeoapi version 0.23.3, which patches this vulnerability by disabling internal HTTP requests by default. The patch can be applied by updating the 'allow_internal_requests' directive in the process configuration.