AstrBotDevs AstrBot Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in AstrBotDevs AstrBot versions through 4.22.1. This vulnerability exists in the API Endpoint component, specifically within the post_data.get function. The issue arises because several API endpoints accept user-controlled URLs or proxy parameters and make server-side HTTP requests without proper validation. This lack of validation allows attackers to access internal network services, cloud instance metadata endpoints, and other resources that should not be publicly accessible.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network services, cloud metadata endpoints, and other restricted resources. This could lead to internal network scanning, access to private services, and potential data exfiltration.

Reproduction

The vulnerability can be reproduced by sending a POST request to one of the affected API endpoints, such as '/api/plugin/install', '/api/stat/test-ghproxy-connection', '/api/update/do', or '/api/kb/document/upload/url'. Include a user-controlled URL or proxy parameter in the request. The server will process the request and make an outbound HTTP request to the specified URL or through the provided proxy, bypassing any internal network access controls.

Remediation

It is recommended to implement URL validation to block private or internal IP ranges, restrict URL schemes to http and https only, resolve DNS before making connections to ensure the resolved IP is not internal, validate proxy parameters against a trusted allowlist, and set a maximum redirect count while re-validating each redirect target.