From 70bd6f7b4f3971340fbdcffa3f61356703fea4b9 Mon Sep 17 00:00:00 2001 From: Iesan Remus Date: Thu, 12 Jun 2025 14:36:26 +0300 Subject: [PATCH] BAU-27505 Fix Server-Side Request Forgery (SSRF) / Path Traversal issues --- example-wrapper.php | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/example-wrapper.php b/example-wrapper.php index 5ac80fc9..c5ae48ab 100755 --- a/example-wrapper.php +++ b/example-wrapper.php @@ -166,9 +166,29 @@ public function stream_seek($offset, $whence) { private function __getURL($path) { $this->url = parse_url($path); - if (!isset($this->url['scheme']) || $this->url['scheme'] !== 's3') return $this->url; - if (isset($this->url['user'], $this->url['pass'])) self::setAuth($this->url['user'], $this->url['pass']); - $this->url['path'] = isset($this->url['path']) ? substr($this->url['path'], 1) : ''; + + // Only allow 's3' scheme + if (!isset($this->url['scheme']) || $this->url['scheme'] !== 's3') { + throw new InvalidArgumentException('Invalid scheme: only s3:// is allowed'); + } + + // Validate bucket name + if ( + !isset($this->url['host']) || + !preg_match('/^(?!^\d+\.\d+\.\d+\.\d+$)(?!.*\.\.)(?!.*\.$)(?!^\.)[a-z0-9]([a-z0-9.-]{1,61}[a-z0-9])?$/', $this->url['host']) + ) { + throw new InvalidArgumentException('Invalid S3 bucket name'); + } + + // Validate path (no directory traversal) + $this->url['path'] = isset($this->url['path']) ? ltrim($this->url['path'], '/') : ''; + if (strpos($this->url['path'], '..') !== false) { + throw new InvalidArgumentException('Invalid S3 object path'); + } + + if (isset($this->url['user'], $this->url['pass'])) { + self::setAuth($this->url['user'], $this->url['pass']); + } } private function __translateMode($mode) {