fix(security): harden SSRF guard with redirect validation and IPv6 coverage (#594)

Author: harlan-zw

src/runtime/server/og-image/core/plugins/imageSrc.ts

@@ -8,74 +8,10 @@ import { decodeHtml } from '../../../util/encoding'
 import { fetchLocalAsset } from '../../../util/fetchLocalAsset'
 import { getFetchTimeout } from '../../../util/fetchTimeout'
 import { logger } from '../../../util/logger'
+import { fetchWithRedirectValidation, isBlockedUrl } from '../../../util/ssrf'
 import { getImageDimensions } from '../../utils/image-detector'
 import { defineTransformer } from '../plugins'
 
-// SSRF prevention: block private/loopback URLs outside dev mode
-const RE_IPV6_BRACKETS = /^\[|\]$/g
-const RE_MAPPED_V4 = /^::ffff:(\d+\.\d+\.\d+\.\d+)$/
-const RE_DIGIT_ONLY = /^\d+$/
-const RE_INT_IP = /^(?:0x[\da-f]+|\d+)$/i
-
-function isPrivateIPv4(a: number, b: number): boolean {
-  if (a === 127)
-    return true // loopback
-  if (a === 10)
-    return true // 10.0.0.0/8
-  if (a === 172 && b >= 16 && b <= 31)
-    return true // 172.16.0.0/12
-  if (a === 192 && b === 168)
-    return true // 192.168.0.0/16
-  if (a === 169 && b === 254)
-    return true // link-local
-  if (a === 0)
-    return true // 0.0.0.0/8
-  return false
-}
-
-/**
- * Block URLs targeting internal/private networks.
- * Handles standard IPs, hex (0x7f000001), decimal (2130706433),
- * IPv6-mapped IPv4 (::ffff:127.0.0.1), and localhost.
- * Only http/https protocols are allowed.
- */
-function isBlockedUrl(url: string): boolean {
-  let parsed: URL
-  try {
-    parsed = new URL(url)
-  }
-  catch {
-    return true
-  }
-  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
-    return true
-  const hostname = parsed.hostname.toLowerCase()
-  const bare = hostname.replace(RE_IPV6_BRACKETS, '')
-  if (bare === 'localhost' || bare.endsWith('.localhost'))
-    return true
-  // Normalize IPv6-mapped IPv4 (::ffff:1.2.3.4)
-  const mappedV4 = bare.match(RE_MAPPED_V4)
-  const ip = mappedV4 ? mappedV4[1]! : bare
-  // Standard dotted-decimal IPv4
-  const parts = ip.split('.')
-  if (parts.length === 4 && parts.every(p => RE_DIGIT_ONLY.test(p))) {
-    const octets = parts.map(Number)
-    if (octets.some(o => o > 255))
-      return true
-    return isPrivateIPv4(octets[0]!, octets[1]!)
-  }
-  // Single integer (decimal/hex) IP: e.g. 2130706433 or 0x7f000001
-  if (RE_INT_IP.test(ip)) {
-    const num = Number(ip)
-    if (!Number.isNaN(num) && num >= 0 && num <= 0xFFFFFFFF)
-      return isPrivateIPv4((num >> 24) & 0xFF, (num >> 16) & 0xFF)
-  }
-  // IPv6 private ranges
-  if (bare === '::1' || bare.startsWith('fc') || bare.startsWith('fd') || bare.startsWith('fe80'))
-    return true
-  return false
-}
-
 const RE_URL_LEADING = /^url\(['"]?/
 const RE_URL_TRAILING = /['"]?\)$/
 
@@ -173,12 +109,28 @@ async function doResolveSrcToBuffer(
     return { blocked: true }
   }
   const end = timings.start('image-fetch')
-  const buffer = (await $fetch(decodedSrc, {
-    responseType: 'arrayBuffer',
-    timeout: fetchTimeout,
-  }).catch((err) => {
-    logFailure(decodedSrc, err)
-  }).finally(end)) as BufferSource | undefined
+  // In dev we keep ofetch's default redirect-follow behaviour so loopback /
+  // proxy setups work. Outside dev, redirects are followed manually with
+  // host re-validation on every hop to close the redirect-bypass class.
+  let buffer: BufferSource | undefined
+  if (import.meta.dev) {
+    buffer = (await $fetch(decodedSrc, {
+      responseType: 'arrayBuffer',
+      timeout: fetchTimeout,
+    }).catch((err) => {
+      logFailure(decodedSrc, err)
+    }).finally(end)) as BufferSource | undefined
+  }
+  else {
+    const ab = await fetchWithRedirectValidation(decodedSrc, {
+      timeout: fetchTimeout,
+    }).catch((err) => {
+      logFailure(decodedSrc, err)
+      return null
+    }).finally(end)
+    if (ab)
+      buffer = new Uint8Array(ab)
+  }
   return buffer ? { buffer } : {}
 }
 
@@ -239,9 +191,18 @@ export default defineTransformer([
         return
       }
       // relative src couldn't be fetched — fall back to an absolute URL so
-      // satori/takumi may attempt to resolve at render time
-      if (isRelative)
+      // satori/takumi may attempt to resolve at render time (against the app's
+      // own origin, not an attacker-controlled one)
+      if (isRelative) {
         node.props.src = withBase(src, `${getNitroOrigin(ctx.e)}`)
+        return
+      }
+      // Absolute external URL whose validated fetch failed. Drop it in
+      // production: letting it survive would invite the renderer (satori
+      // fetches <img> URLs internally; takumi fetches via extractResourceUrls)
+      // to re-issue the request without SSRF/redirect validation.
+      if (!import.meta.dev)
+        delete node.props.src
     },
   },
   // fix style="background-image: url('')"
@@ -257,8 +218,14 @@ export default defineTransformer([
         delete node.props.style!.backgroundImage
         return
       }
-      if (result.buffer)
+      if (result.buffer) {
         node.props.style!.backgroundImage = `url(${toBufferSourceAsBase64(result.buffer)})`
+        return
+      }
+      // Same reasoning as the <img> branch: an absolute external URL that
+      // didn't inline must not be left for the renderer to fetch unvalidated.
+      if (!import.meta.dev && !src.startsWith('/'))
+        delete node.props.style!.backgroundImage
     },
   },
 ])

src/runtime/server/og-image/takumi/renderer.ts

@@ -5,6 +5,7 @@ import { withBase } from 'ufo'
 import { logger } from '../../../logger'
 import { fetchLocalAsset } from '../../util/fetchLocalAsset'
 import { getFetchTimeout } from '../../util/fetchTimeout'
+import { fetchWithRedirectValidation, isBlockedUrl } from '../../util/ssrf'
 import { buildSubsetFamilyChain, extractCodepoints, getDefaultFontFamily, loadFontsForRenderer, resolveSubsetChain } from '../fonts'
 import { getExtractResourceUrls, getTakumi } from './instances'
 import { createTakumiNodes } from './nodes'
@@ -205,14 +206,23 @@ async function createImage(event: OgImageRenderEventContext, format: 'png' | 'jp
           includeExternalFallback: true,
         })
       }
-      else {
+      else if (import.meta.dev) {
         data = await $fetch(src, {
           responseType: 'arrayBuffer',
           signal: AbortSignal.timeout(fetchTimeout),
           timeout: fetchTimeout,
           headers,
         }).catch(() => undefined) as ArrayBuffer | undefined
       }
+      else if (!isBlockedUrl(src)) {
+        // Defense-in-depth: any URL surviving the imageSrc transformer is
+        // re-validated here, with redirects followed manually so 30x →
+        // internal-IP cannot complete the SSRF.
+        data = (await fetchWithRedirectValidation(src, {
+          timeout: fetchTimeout,
+          headers,
+        })) ?? undefined
+      }
       if (data)
         fetchedResources.push({ src, data: new Uint8Array(data) })
     })))