HummerRisk Server-Side Request Forgery Vulnerability in Video File Download URL Handler

A server-side request forgery (SSRF) vulnerability has been identified in HummerRisk versions prior to 1.5.0. The issue arises in the `ServerService.addServer` function within the `ServerService.java` file, specifically related to the Video File Download URL Handler component. The vulnerability allows remote attackers to manipulate the `streamIp` parameter, which is not properly validated before being stored in the database. This unvalidated data is later used to construct HTTP URLs for downloading video files, enabling SSRF attacks.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal or external resources on behalf of the server, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, a valid user account with server creation privileges is required. Once logged in, the `publicKey` parameter can be injected with a malicious payload, such as JavaScript, which is then executed when an administrator views the server list.

Remediation

It is recommended to implement proper input validation for the `publicKey` parameter to ensure only valid SSH key formats are accepted. Additionally, output encoding should be applied to sanitize user-controlled content before it is displayed in the interface.