Coordinated Disclosure Timeline
- 2023-12-11: Sent a report to the email from the security policy.
- 2024-01-05: Advisory is published and CVE is assigned.
Summary
Dtale 3.8.1 is vulnerable to server-side request forgery (SSRF) vulnerability.
Project
Dtale
Tested Version
Details
SSRF in views.py (GHSL-2023-262)
The web_upload function in dtale/views.py takes a user-controlled url parameter and passes it to loader_func in dtale/cli/loaders/csv_loader.py, which then passes it to handle_path function in dtale/cli/utils.py, which uses the destination defined in url to make a GET request on line 244. There are no limitations set on what url could contain, which leads to server-side request forgery (SSRF). The contents of the requested files from the url can be then read inside dtale.
dtale/cli/clickutils.py
def handle_path(path, kwargs, resp_handler=handle_str_content):
if is_url(path):
proxy = kwargs.pop("proxy", None)
req_kwargs = {}
if proxy is not None:
req_kwargs["proxies"] = dict(http=proxy, https=proxy)
resp = requests.get(path, **req_kwargs)
assert resp.status_code == 200
return resp_handler(resp)
return path
This issue was found with the help of CodeQL Full server-side request forgery query.
Impact
This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet.
This issue allows for viewing any files from arbitrary sources that dtale can process: csv, tsv, json, excel, parquet and txt. For all other file types, it is a blind server side request forgery.
CVE
- CVE-2024-21642
Credit
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-262 in any communication regarding this issue.