mirror of
https://github.com/brunopostle/ifcurl.git
synced 2026-07-12 10:18:14 +00:00
1. Stored XSS in populateMetaPanel (viewer.js): IFC type and storey names from model data were interpolated unescaped into innerHTML. Added hesc() helper and applied it to all IFC-derived values. 2. sessionStorage CSS injection (viewer.html): viewerSnapshot value was used unsanitised in style.backgroundImage. Now validated to start with 'data:image/jpeg;base64,' before use. 3. Hostname-based SSRF bypass (service.py): _is_private_ip() only blocked literal IP addresses; hostnames resolving to private addresses bypassed the check. Now resolves all addresses via socket.getaddrinfo() and rejects if any resolve to a private range. Unresolvable hostnames are treated as private (fail-safe). 4. SSRF + bearer token exfiltration via BCF snapshot (bcf_api.py): get_snapshot() forwarded the caller's Authorization token to the preview service for an ifc:// URL stored in a Forgejo comment body (attacker-controlled). Now parses and validates the stored URL through _ssrf_check(), and uses the server-side token for the ifc:// host instead of the caller's credential. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| public/assets | ||