Conversation
* init * upgrade neo * useDiagnostic * Update RpcServer.SmartContract.cs * invoke tree * add event * Add storage changes * Update nuget * rename event state * Unify * update neofs * fix json Co-authored-by: Shargon <shargon@gmail.com> Co-authored-by: Erik Zhang <erik@neo.org> Co-authored-by: Owen Zhang <38493437+superboyiii@users.noreply.github.com>
* add in file copyright * fix the copyright * update copyright start year * Delete copyright.sh * Delete copyright.txt Co-authored-by: Owen Zhang <38493437+superboyiii@users.noreply.github.com> Co-authored-by: Erik Zhang <erik@neo.org>
* init * refac Co-authored-by: Shargon <shargon@gmail.com>
| if (!Settings.Default.AllowedContentTypes.Contains(message.Content.Headers.ContentType.MediaType)) | ||
| return (OracleResponseCode.ContentTypeNotSupported, null); | ||
|
|
||
| if (!Settings.Default.AllowPrivateHost && message.RequestMessage.RequestUri != uri) |
There was a problem hiding this comment.
I don't think it really works to prevent ssrf since the request is already sent in the line:
message = await client.GetAsync(uri, HttpCompletionOption.ResponseContentRead, cancellation);
There was a problem hiding this comment.
Yes. It will leak information such as resource existence at least because this check is not the first branch.
There was a problem hiding this comment.
Agree with @vang1ong7ang , I think that the redirection must be manual like #692
There was a problem hiding this comment.
yeah, should not assume GET requests have no side effect.
|
i prefer to avoid the request happening. not only the final content uploading. |
|
dns rebinding should be also considered |
It seems that it's difficult to prevent SSRF in .Net. |
|
@dusmart also in golang i think |
|
Since we support https only, I think we don't need to worry about dns rebinding. |
Fix #693