DbGate Server-Side Request Forgery Vulnerability in REST/GraphQL Component

A server-side request forgery (SSRF) vulnerability has been identified in DbGate versions through 7.1.4. The issue arises in the REST/GraphQL component, specifically within the 'apiServerUrl1' function of 'packages/rest/src/openApiDriver.ts'. This vulnerability allows authenticated users to manipulate server-side HTTP requests to arbitrary URLs, including internal services not accessible from the external network. The vulnerability is exploited by sending user-controlled URLs in axios requests, which are then processed by the application without proper validation. As a result, the server can be tricked into accessing restricted resources or metadata endpoints.

Impact

Exploitation of this vulnerability allows authenticated users to use the server as an HTTP client, accessing internal services, localhost-only endpoints, or cloud metadata endpoints reachable from the server network.

Reproduction

To reproduce this vulnerability, upload the DbGate application and create a new REST connection. Set the API Definition URL to point to an internal-only service that is not exposed to the outside network. When the connection is tested, the server will make a request to the internal service, demonstrating the SSRF vulnerability.