GHSA-c5fp-p67m-gq56
Snappy : SSRF and local file read via the xsl-style-sheet option
상세
### Impact
It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ;
It could happens with this kind of workflows:
```php $stylesheet = $_GET['stylesheet']; // = ‘file:///etc/passwd’ $pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’); $pdf->generate(‘page.html’, ‘out.pdf’, [ ‘xsl-style-sheet’ => $stylesheet ]); ```
### Patches
A list a schema with `http` and `https` by default is used to validate the remote path by default.
### Workarounds
Developers should ensure usage cannot allow (in any case) a user to pass a free input directly to the Snappy library.
```php // Bad example $pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’); $pdf->generate(‘page.html’, ‘out.pdf’, [ ‘xsl-style-sheet’ => $_GET['input'], ]); ```
Instead developers can list available available stylesheets and pick the right one with the user input.
```php // Better $allowedStylesheets = [ 'invoice' => '/app/xsl/invoice.xsl', 'report' => '/app/xsl/report.xsl', ];
$key = $_GET['stylesheet'] ?? '';
if (!array_key_exists($key, $allowedStylesheets)) { throw new \RuntimeException('Unknown stylesheet.'); }
$pdf = new Knp\Snappy\Pdf('/usr/local/bin/wkhtmltopdf'); $pdf->generate('page.html', 'out.pdf', [ 'xsl-style-sheet' => $allowedStylesheets[$key], ]); ```
### References
Read more about SSRF at [owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 1.7.0 composer require knplabs/knp-snappy:^1.7.0