ifcurl/forgejo/custom
Bruno Postle 8101e1afcf Fix four security vulnerabilities found in security review
1. Stored XSS in populateMetaPanel (viewer.js): IFC type and storey
   names from model data were interpolated unescaped into innerHTML.
   Added hesc() helper and applied it to all IFC-derived values.

2. sessionStorage CSS injection (viewer.html): viewerSnapshot value was
   used unsanitised in style.backgroundImage. Now validated to start
   with 'data:image/jpeg;base64,' before use.

3. Hostname-based SSRF bypass (service.py): _is_private_ip() only
   blocked literal IP addresses; hostnames resolving to private
   addresses bypassed the check. Now resolves all addresses via
   socket.getaddrinfo() and rejects if any resolve to a private range.
   Unresolvable hostnames are treated as private (fail-safe).

4. SSRF + bearer token exfiltration via BCF snapshot (bcf_api.py):
   get_snapshot() forwarded the caller's Authorization token to the
   preview service for an ifc:// URL stored in a Forgejo comment body
   (attacker-controlled). Now parses and validates the stored URL
   through _ssrf_check(), and uses the server-side token for the
   ifc:// host instead of the caller's credential.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-07 14:49:45 +01:00
..
public/assets Fix four security vulnerabilities found in security review 2026-06-07 14:49:45 +01:00